All the vulnerabilites related to Red Hat - Red Hat Quay 3
cve-2024-5891
Vulnerability from cvelistv5
Published
2024-06-12 13:16
Modified
2024-08-02 16:17
Severity ?
EPSS score ?
Summary
A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-5891 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2283879 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-5891", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-13T20:08:08.289708Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-13T20:10:28.863Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T21:25:03.183Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-5891" }, { "name": "RHBZ#2283879", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283879" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "unknown", "packageName": "quay", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "datePublic": "2024-06-11T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1390", "description": "Weak Authentication", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-02T16:17:31.664Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-5891" }, { "name": "RHBZ#2283879", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283879" } ], "timeline": [ { "lang": "en", "time": "2024-05-29T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-06-11T00:00:00+00:00", "value": "Made public." } ], "title": "Quay: unauthorized user may authenticate via oauth application token", "x_redhatCweChain": "CWE-1390: Weak Authentication" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-5891", "datePublished": "2024-06-12T13:16:54.443Z", "dateReserved": "2024-06-12T03:55:16.696Z", "dateUpdated": "2024-08-02T16:17:31.664Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-9676
Vulnerability from cvelistv5
Published
2024-10-15 15:27
Modified
2024-12-01 23:14
Severity ?
EPSS score ?
Summary
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 8 |
Unaffected: 8100020241101101019.afee755d < * cpe:/a:redhat:enterprise_linux:8::appstream |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-9676", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T15:45:48.644647Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-15T15:46:17.963Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8100020241101101019.afee755d", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:4.9.4-16.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:5.2.2-9.el9_5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.37.5-1.el9_5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.4::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.33.11-1.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.12::el8", "cpe:/a:redhat:openshift:4.12::el9", "cpe:/a:redhat:openshift_ironic:4.12::el9" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.12", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.25.5-30.rhaos4.12.git53dc492.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.26.5-26.rhaos4.13.giteb3d487.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.27.8-12.rhaos4.14.git7597c43.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el8", "cpe:/a:redhat:openshift:4.15::el9" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.28.11-5.rhaos4.15.git35a2431.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ironic:4.16::el9", "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.29.9-6.rhaos4.16.gite7bd45a.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:4.9.4-14.rhaos4.16.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9", "cpe:/a:redhat:openshift:4.17::el8" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.30.6-6.rhaos4.17.git6ac6e96.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9", "cpe:/a:redhat:openshift:4.17::el8" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "5:5.2.2-1.rhaos4.17.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-agent-base-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "conmon", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "buildah", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "conmon", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-docker-builder", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay/quay-builder-rhel8", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Erik Sj\u00f6lund \u003cerik.sjolund@gmail.com\u003e for reporting this issue." } ], "datePublic": "2024-10-15T15:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-01T23:14:03.181Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:10289", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:10289" }, { "name": "RHSA-2024:8418", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8418" }, { "name": "RHSA-2024:8428", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8428" }, { "name": "RHSA-2024:8437", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8437" }, { "name": "RHSA-2024:8686", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8686" }, { "name": "RHSA-2024:8690", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8690" }, { "name": "RHSA-2024:8694", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8694" }, { "name": "RHSA-2024:8700", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8700" }, { "name": "RHSA-2024:8984", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8984" }, { "name": "RHSA-2024:9051", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9051" }, { "name": "RHSA-2024:9454", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9454" }, { "name": "RHSA-2024:9459", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9459" }, { "name": "RHSA-2024:9926", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9926" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-9676" }, { "name": "RHBZ#2317467", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317467" }, { "url": "https://github.com/advisories/GHSA-wq2p-5pc6-wpgf" } ], "timeline": [ { "lang": "en", "time": "2024-10-09T02:59:07.708000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-10-15T15:00:00+00:00", "value": "Made public." } ], "title": "Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-9676", "datePublished": "2024-10-15T15:27:33.665Z", "dateReserved": "2024-10-09T03:02:48.802Z", "dateUpdated": "2024-12-01T23:14:03.181Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-4956
Vulnerability from cvelistv5
Published
2023-11-07 19:12
Modified
2024-11-13 23:04
Severity ?
EPSS score ?
Summary
A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-4956 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2238886 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T07:44:53.496Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-4956" }, { "name": "RHBZ#2238886", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238886" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Oleg Sushchenko (Red Hat)." } ], "datePublic": "2023-09-15T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Low" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1021", "description": "Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-13T23:04:24.838Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-4956" }, { "name": "RHBZ#2238886", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238886" } ], "timeline": [ { "lang": "en", "time": "2023-09-14T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-09-15T00:00:00+00:00", "value": "Made public." } ], "title": "Quay: clickjacking on config-editor page severity", "workarounds": [ { "lang": "en", "value": "It is recommended to configure the webserver to perform the inclusion of the X-Frame-Options: Deny header." } ], "x_redhatCweChain": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-4956", "datePublished": "2023-11-07T19:12:00.777Z", "dateReserved": "2023-09-14T04:52:43.812Z", "dateUpdated": "2024-11-13T23:04:24.838Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-3727
Vulnerability from cvelistv5
Published
2024-05-09 14:57
Modified
2024-12-10 16:08
Severity ?
EPSS score ?
Summary
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ |
Version: 0 ≤ Version: 5.30.0 ≤ |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-3727", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-13T17:59:41.318223Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:33:13.046Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T20:20:01.029Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:0045", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0045" }, { "name": "RHSA-2024:4159", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4159" }, { "name": "RHSA-2024:4613", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4613" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-3727" }, { "name": "RHBZ#2274767", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274767" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/containers/image", "defaultStatus": "unaffected", "packageName": "image", "versions": [ { "lessThan": "5.29.3", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThan": "5.30.1", "status": "affected", "version": "5.30.0", "versionType": "semver" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_api_data_protection:1.3::el9" ], "defaultStatus": "affected", "packageName": "oadp/oadp-velero-plugin-rhel9", "product": "OADP-1.3-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.3.4-9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-central-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-collector-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-collector-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-operator-bundle", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-rhel8-operator", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product": "Red Hat Advanced Cluster Security 4.4", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.5-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-central-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-collector-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-collector-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-operator-bundle", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-rhel8-operator", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-slim-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-1", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product": "Red Hat Advanced Cluster Security 4.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.5.2-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8100020240808093819.afee755d", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.37.2-1.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.16.1-1.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:5.2.2-1.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhmt:1.8::el8" ], "defaultStatus": "affected", "packageName": "rhmtc/openshift-migration-controller-rhel8", "product": "Red Hat Migration Toolkit for Containers 1.8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v1.8.4-22", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9", "cpe:/a:redhat:openshift_ironic:4.13::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-13.rhaos4.13.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9", "cpe:/a:redhat:openshift_ironic:4.13::el9" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.11.3-3.rhaos4.13.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8" ], "defaultStatus": "affected", "packageName": "openshift4/ose-operator-lifecycle-manager", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.14.0-202407260439.p0.g8d9b39e.assembly.stream.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift_ironic:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-19.rhaos4.14.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el9", "cpe:/a:redhat:openshift_ironic:4.14::el9", "cpe:/a:redhat:openshift:4.14::el8" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.11.3-3.rhaos4.14.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift_ironic:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-30.rhaos4.15.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift_ironic:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.11.3-4.rhaos4.15.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-node-agent-rhel9", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.15.0-202410230304.p0.g366295f.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-orchestrator-rhel8", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.15.0-202410230304.p0.gfde2b2e.assembly.stream.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8" ], "defaultStatus": "affected", "packageName": "openshift4/ose-operator-lifecycle-manager-rhel9", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.15.0-202407230407.p0.gf3f8de5.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ironic:4.16::el9", "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:4.9.4-5.1.rhaos4.16.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_ironic:4.16::el9", "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "skopeo", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.14.4-1.rhaos4.16.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:1.29.5-7.rhaos4.16.git7db4ada.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-operator-lifecycle-manager-rhel9", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.16.0-202407171536.p0.g1551101.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-machine-config-rhel9-operator", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.16.0-202409162206.p0.g6a425ab.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-orchestrator-rhel9", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.16.0-202409231504.p0.g342902b.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-node-agent-rhel9", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.16.0-202410172201.p0.gb121e87.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-machine-config-rhel9-operator", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.17.0-202409122005.p0.gb170ad0.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-olm-operator-controller-rhel9", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.17.0-202409100034.p0.g8d16b39.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-operator-lifecycle-manager-rhel9", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-operator-registry-rhel9", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-orchestrator-rhel9", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.17.0-202410022234.p0.gfbc55c6.assembly.stream.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4.15::el9" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-controller-rhel9", "product": "RHEL-9-CNV-4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "v4.15.5-7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "unaffected", "packageName": "multicluster-engine/agent-service-rhel8", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "unaffected", "packageName": "multicluster-engine/assisted-installer-agent-rhel8", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "unaffected", "packageName": "multicluster-engine/assisted-installer-reporter-rhel8", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "unaffected", "packageName": "multicluster-engine/assisted-installer-rhel8", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "unaffected", "packageName": "multicluster-engine/hive-rhel8", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-agent-base-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/client-kn-rhel8", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "affected", "packageName": "openshift-serverless-clients", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:source_to_image:1" ], "defaultStatus": "affected", "packageName": "source-to-image-container", "product": "OpenShift Source-to-Image (S2I)", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:acm:2" ], "defaultStatus": "unaffected", "packageName": "rhacm2/submariner-rhel8-operator", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-central-db-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-rhel8-operator", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:advanced_cluster_security:3" ], "defaultStatus": "affected", "packageName": "advanced-cluster-security/rhacs-scanner-slim-rhel8", "product": "Red Hat Advanced Cluster Security 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ansible_automation_platform" ], "defaultStatus": "unaffected", "packageName": "openshift-clients", "product": "Red Hat Ansible Automation Platform 1.2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2" ], "defaultStatus": "unaffected", "packageName": "openshift-clients", "product": "Red Hat Ansible Automation Platform 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "buildah", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "podman", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "skopeo", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "container-tools:4.0/buildah", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "container-tools:4.0/conmon", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "container-tools:4.0/containers-common", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "affected", "packageName": "container-tools:4.0/podman", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "container-tools:4.0/skopeo", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "affected", "packageName": "osbuild-composer", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "conmon", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "containers-common", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "osbuild-composer", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:3.11" ], "defaultStatus": "unknown", "packageName": "atomic-openshift", "product": "Red Hat OpenShift Container Platform 3.11", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:3.11" ], "defaultStatus": "unknown", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 3.11", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "buildah", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "conmon", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "containers-common", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/oc-mirror-plugin-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-api-server-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-agent-installer-csr-approver-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "openshift4/ose-baremetal-installer-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-cli", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-cli-artifacts", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-deployer", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-docker-builder", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-installer", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "openshift4/ose-installer-altinfra-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "openshift4/ose-installer-artifacts", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-olm-rukpak-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-openshift-apiserver-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-openshift-controller-manager-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "openshift4/ose-openshift-proxy-pull-test-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-tools-rhel8", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift-clients", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "ose-installer-terraform-providers-container", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:assisted_installer:" ], "defaultStatus": "affected", "packageName": "rhai-tech-preview/assisted-installer-agent-rhel8", "product": "Red Hat OpenShift Container Platform Assisted Installer", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:assisted_installer:" ], "defaultStatus": "affected", "packageName": "rhai-tech-preview/assisted-installer-reporter-rhel8", "product": "Red Hat OpenShift Container Platform Assisted Installer", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:assisted_installer:" ], "defaultStatus": "affected", "packageName": "rhai-tech-preview/assisted-installer-rhel8", "product": "Red Hat OpenShift Container Platform Assisted Installer", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_devspaces:3:" ], "defaultStatus": "affected", "packageName": "devspaces/udi-rhel8", "product": "Red Hat OpenShift Dev Spaces", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_sandboxed_containers:1" ], "defaultStatus": "affected", "packageName": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8", "product": "Red Hat Openshift Sandboxed Containers", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_sandboxed_containers:1" ], "defaultStatus": "affected", "packageName": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator", "product": "Red Hat Openshift Sandboxed Containers", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-apiserver", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-apiserver-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-cloner", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-cloner-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-controller", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-importer", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-importer-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-operator", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-operator-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-uploadproxy", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-uploadproxy-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-uploadserver", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:container_native_virtualization:4" ], "defaultStatus": "affected", "packageName": "container-native-virtualization/virt-cdi-uploadserver-rhel9", "product": "Red Hat OpenShift Virtualization 4", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openstack:16.2" ], "defaultStatus": "affected", "packageName": "osp-director-provisioner-container", "product": "Red Hat OpenStack Platform 16.2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay/quay-builder-rhel8", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "datePublic": "2024-05-09T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-354", "description": "Improper Validation of Integrity Check Value", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-10T16:08:44.916Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:0045", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0045" }, { "name": "RHSA-2024:3718", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3718" }, { "name": "RHSA-2024:4159", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4159" }, { "name": "RHSA-2024:4613", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4613" }, { "name": "RHSA-2024:4850", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4850" }, { "name": "RHSA-2024:4960", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4960" }, { "name": "RHSA-2024:5258", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5258" }, { "name": "RHSA-2024:5951", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5951" }, { "name": "RHSA-2024:6054", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6054" }, { "name": "RHSA-2024:6708", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6708" }, { "name": "RHSA-2024:6824", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6824" }, { "name": "RHSA-2024:7164", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7164" }, { "name": "RHSA-2024:7174", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7174" }, { "name": "RHSA-2024:7182", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7182" }, { "name": "RHSA-2024:7187", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7187" }, { "name": "RHSA-2024:7922", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7922" }, { "name": "RHSA-2024:7941", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:7941" }, { "name": "RHSA-2024:8260", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8260" }, { "name": "RHSA-2024:8425", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8425" }, { "name": "RHSA-2024:9097", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9097" }, { "name": "RHSA-2024:9098", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9098" }, { "name": "RHSA-2024:9102", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9102" }, { "name": "RHSA-2024:9960", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9960" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-3727" }, { "name": "RHBZ#2274767", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274767" } ], "timeline": [ { "lang": "en", "time": "2024-04-12T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-05-09T00:00:00+00:00", "value": "Made public." } ], "title": "Containers/image: digest type does not guarantee valid type", "x_redhatCweChain": "CWE-354: Improper Validation of Integrity Check Value" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-3727", "datePublished": "2024-05-09T14:57:21.327Z", "dateReserved": "2024-04-12T17:56:37.261Z", "dateUpdated": "2024-12-10T16:08:44.916Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-9683
Vulnerability from cvelistv5
Published
2024-10-17 14:08
Modified
2024-11-27 18:54
Severity ?
EPSS score ?
Summary
A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement. While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-9683 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2317559 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-9683", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-17T14:35:37.574201Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-17T14:36:13.694Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Alexander Pryor for reporting this issue." } ], "datePublic": "2024-10-09T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement.\u00a0 While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Low" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-305", "description": "Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-27T18:54:53.220Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-9683" }, { "name": "RHBZ#2317559", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317559" } ], "timeline": [ { "lang": "en", "time": "2024-10-09T12:28:16.419000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-10-09T00:00:00+00:00", "value": "Made public." } ], "title": "Quay: quay allows successful authentication with trucated version of the password", "x_redhatCweChain": "CWE-305: Authentication Bypass by Primary Weakness" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-9683", "datePublished": "2024-10-17T14:08:57.482Z", "dateReserved": "2024-10-09T12:30:10.219Z", "dateUpdated": "2024-11-27T18:54:53.220Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-3384
Vulnerability from cvelistv5
Published
2023-07-24 15:19
Modified
2024-11-13 23:04
Severity ?
EPSS score ?
Summary
A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is
not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS).
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-3384 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2216924 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-3384", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-25T16:01:16.993801Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:17:35.326Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T06:55:03.375Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-3384" }, { "name": "RHBZ#2216924", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216924" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay/quay-rhel8", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Angel Olle Blazquez (Red Hat)." } ], "datePublic": "2023-06-20T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is\r\nnot performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS)." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-13T23:04:00.899Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-3384" }, { "name": "RHBZ#2216924", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216924" } ], "timeline": [ { "lang": "en", "time": "2023-06-23T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-06-20T00:00:00+00:00", "value": "Made public." } ], "title": "Quay: stored cross site scripting", "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-3384", "datePublished": "2023-07-24T15:19:20.552Z", "dateReserved": "2023-06-23T09:29:36.852Z", "dateUpdated": "2024-11-13T23:04:00.899Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-4959
Vulnerability from cvelistv5
Published
2023-09-15 09:51
Modified
2024-11-13 23:04
Severity ?
EPSS score ?
Summary
A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-4959 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2238908 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Red Hat | Red Hat Quay 3 |
cpe:/a:redhat:quay:3 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T07:44:53.219Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-4959" }, { "name": "RHBZ#2238908", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238908" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-4959", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-16T15:21:00.114710Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-16T15:21:09.941Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "Quay", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Oleg Sushchenko (Red Hat)." } ], "datePublic": "2023-09-15T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim\u2019s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges)." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-13T23:04:26.229Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-4959" }, { "name": "RHBZ#2238908", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238908" } ], "timeline": [ { "lang": "en", "time": "2023-09-14T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-09-15T00:00:00+00:00", "value": "Made public." } ], "title": "Quay: cross-site request forgery (csrf) on config-editor page", "workarounds": [ { "lang": "en", "value": "To avoid the risk associated with this vulnerability, it is recommended to include a secret in all requests that may generate a change in the application\u0027s data. A secret is understood, for example, as an extra parameter, generated and sent to the client when accessing the web resource from which the request to be protected is launched. This secret must be generated randomly and be different for each request to be made. On the server side, the application must check that these requests, which cause significant modifications to the data, include the previously generated secrets. If this is not included or is erroneous, the application should not perform the corresponding action.\n\nIn addition to this secret, it is recommended to set the \"SameSite\" attribute in the session cookie with the following values:\n- SameSite=Strict: this value prevents the cookie from being sent in any cross-origin request.\n- SameSite=Lax: this is the value that is recommended in this case as any action carried out via POST or via a script from a cross-origin will be rejected by the browser." } ], "x_redhatCweChain": "CWE-352: Cross-Site Request Forgery (CSRF)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-4959", "datePublished": "2023-09-15T09:51:26.867Z", "dateReserved": "2023-09-14T09:07:57.784Z", "dateUpdated": "2024-11-13T23:04:26.229Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-9675
Vulnerability from cvelistv5
Published
2024-10-09 14:32
Modified
2024-12-01 23:14
Severity ?
EPSS score ?
Summary
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 8 |
Unaffected: 8100020241023085649.afee755d < * cpe:/a:redhat:enterprise_linux:8::appstream |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-9675", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-09T16:16:25.550764Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-09T16:24:34.705Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8100020241023085649.afee755d", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020241028154646.3b538bd8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020241028154646.3b538bd8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020241028154646.3b538bd8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:8.8::appstream" ], "defaultStatus": "affected", "packageName": "container-tools:rhel8", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8080020241025064551.0f77c1b7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.33.10-1.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:4.9.4-16.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:5.2.2-9.el9_5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:1.37.5-1.el9_5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1:1.26.8-2.el9_0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:4.2.0-5.el9_0.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.2::appstream" ], "defaultStatus": "affected", "packageName": "buildah", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1:1.29.4-1.el9_2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.2::appstream" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2:4.4.1-21.el9_2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-15.rhaos4.13.el8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el8", "cpe:/a:redhat:openshift:4.14::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-21.rhaos4.14.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el8", "cpe:/a:redhat:openshift:4.15::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3:4.4.1-32.rhaos4.15.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el8", "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4:4.9.4-14.rhaos4.16.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el8", "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "affected", "packageName": "podman", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "5:5.2.2-1.rhaos4.17.el9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-agent-base-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:ocp_tools" ], "defaultStatus": "affected", "packageName": "ocp-tools-4/jenkins-rhel8", "product": "OpenShift Developer Tools and Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "skopeo", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "conmon", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "buildah", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "conmon", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "unaffected", "packageName": "cri-o", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "openshift4/ose-docker-builder", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quay:3" ], "defaultStatus": "affected", "packageName": "quay/quay-builder-rhel8", "product": "Red Hat Quay 3", "vendor": "Red Hat" } ], "datePublic": "2024-10-09T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-01T23:14:00.658Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:8563", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8563" }, { "name": "RHSA-2024:8675", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8675" }, { "name": "RHSA-2024:8679", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8679" }, { "name": "RHSA-2024:8686", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8686" }, { "name": "RHSA-2024:8690", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8690" }, { "name": "RHSA-2024:8700", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8700" }, { "name": "RHSA-2024:8703", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8703" }, { "name": "RHSA-2024:8707", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8707" }, { "name": "RHSA-2024:8708", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8708" }, { "name": "RHSA-2024:8709", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8709" }, { "name": "RHSA-2024:8846", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8846" }, { "name": "RHSA-2024:8984", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8984" }, { "name": "RHSA-2024:8994", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:8994" }, { "name": "RHSA-2024:9051", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9051" }, { "name": "RHSA-2024:9454", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9454" }, { "name": "RHSA-2024:9459", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:9459" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-9675" }, { "name": "RHBZ#2317458", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317458" } ], "timeline": [ { "lang": "en", "time": "2024-10-09T02:45:06.343000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-10-09T00:00:00+00:00", "value": "Made public." } ], "title": "Buildah: buildah allows arbitrary directory mount", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-9675", "datePublished": "2024-10-09T14:32:11.922Z", "dateReserved": "2024-10-09T02:47:50.357Z", "dateUpdated": "2024-12-01T23:14:00.658Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }