Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-14040 (GCVE-0-2020-14040)
Vulnerability from cvelistv5 – Published: 2020-06-17 19:22 – Updated: 2024-08-04 12:32
VLAI?
EPSS
Summary
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://groups.google.com/forum/#%21topic/golang-… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-07T18:06:10.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14040",
"datePublished": "2020-06-17T19:22:31.000Z",
"dateReserved": "2020-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-14040",
"date": "2026-05-20",
"epss": "8e-05",
"percentile": "0.00658"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.3.3\", \"matchCriteriaId\": \"C111DDBC-C8B1-498F-8F36-C8AB6E1134D7\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.\"}, {\"lang\": \"es\", \"value\": \"El paquete x/text anterior a la versi\\u00f3n 0.3.3 para Go tiene una vulnerabilidad en la codificaci\\u00f3n/unicode que podr\\u00eda llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podr\\u00eda proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la funci\\u00f3n String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String\"}]",
"id": "CVE-2020-14040",
"lastModified": "2024-11-21T05:02:25.223",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-06-17T20:15:09.993",
"references": "[{\"url\": \"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-835\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14040\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-06-17T20:15:09.993\",\"lastModified\":\"2024-11-21T05:02:25.223\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.\"},{\"lang\":\"es\",\"value\":\"El paquete x/text anterior a la versi\u00f3n 0.3.3 para Go tiene una vulnerabilidad en la codificaci\u00f3n/unicode que podr\u00eda llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podr\u00eda proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la funci\u00f3n String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.3\",\"matchCriteriaId\":\"C111DDBC-C8B1-498F-8F36-C8AB6E1134D7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}],\"references\":[{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTFR-2022-AVI-591
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Plus versions antérieures à 10.1.11 | ||
| IBM | Spectrum | IBM Spectrum Protect Client versions antérieures à 8.1.1.15 | ||
| IBM | N/A | IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0 | ||
| IBM | Db2 | IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-29368",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
},
{
"name": "CVE-2021-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
},
{
"name": "CVE-2018-1099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
},
{
"name": "CVE-2021-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
},
{
"name": "CVE-2021-45485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
},
{
"name": "CVE-2022-27191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
},
{
"name": "CVE-2021-30465",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
},
{
"name": "CVE-2019-11249",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
},
{
"name": "CVE-2020-8557",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
},
{
"name": "CVE-2020-7919",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
},
{
"name": "CVE-2019-11247",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
},
{
"name": "CVE-2020-28851",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
},
{
"name": "CVE-2021-42248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
},
{
"name": "CVE-2018-1002105",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2020-15112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
},
{
"name": "CVE-2021-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
},
{
"name": "CVE-2021-25736",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
},
{
"name": "CVE-2020-27813",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
},
{
"name": "CVE-2018-17848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
},
{
"name": "CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"name": "CVE-2021-41864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
},
{
"name": "CVE-2020-36385",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
},
{
"name": "CVE-2020-25704",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
},
{
"name": "CVE-2021-25735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
},
{
"name": "CVE-2017-18367",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
},
{
"name": "CVE-2020-8564",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
},
{
"name": "CVE-2021-20206",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
},
{
"name": "CVE-2019-11246",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
},
{
"name": "CVE-2021-31916",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
},
{
"name": "CVE-2021-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
},
{
"name": "CVE-2018-1098",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
},
{
"name": "CVE-2021-28971",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
},
{
"name": "CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"name": "CVE-2022-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
},
{
"name": "CVE-2021-4002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
},
{
"name": "CVE-2021-4083",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
},
{
"name": "CVE-2021-45486",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
},
{
"name": "CVE-2020-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
},
{
"name": "CVE-2017-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
},
{
"name": "CVE-2021-4157",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
},
{
"name": "CVE-2020-15106",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
},
{
"name": "CVE-2021-43784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
},
{
"name": "CVE-2021-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
},
{
"name": "CVE-2018-17142",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
},
{
"name": "CVE-2022-0185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
},
{
"name": "CVE-2022-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-44733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
},
{
"name": "CVE-2020-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
},
{
"name": "CVE-2021-20269",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
},
{
"name": "CVE-2020-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
},
{
"name": "CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"name": "CVE-2021-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2022-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
},
{
"name": "CVE-2022-1011",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
},
{
"name": "CVE-2021-3669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
},
{
"name": "CVE-2020-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
},
{
"name": "CVE-2020-10752",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
},
{
"name": "CVE-2021-28950",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
},
{
"name": "CVE-2021-29650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
},
{
"name": "CVE-2020-36322",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
},
{
"name": "CVE-2020-28852",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
},
{
"name": "CVE-2021-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
},
{
"name": "CVE-2020-15113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2018-17847",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2020-26160",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-42836",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
},
{
"name": "CVE-2020-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2018-17143",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
},
{
"name": "CVE-2019-11841",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
},
{
"name": "CVE-2018-20699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2021-3764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
},
{
"name": "CVE-2019-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
},
{
"name": "CVE-2021-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
},
{
"name": "CVE-2021-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
},
{
"name": "CVE-2022-0850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
},
{
"name": "CVE-2021-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2021-25737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
},
{
"name": "CVE-2018-17846",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
},
{
"name": "CVE-2021-4028",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
},
{
"name": "CVE-2021-43565",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
},
{
"name": "CVE-2021-25741",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
},
{
"name": "CVE-2018-16886",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2021-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2019-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
},
{
"name": "CVE-2019-11251",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
},
{
"name": "CVE-2020-36067",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596399"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596971"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6599703"
}
]
}
CERTFR-2025-AVI-0582
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Palo Alto Networks. Elles permettent à un attaquant de provoquer une élévation de privilèges, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Palo Alto Networks indique que la vulnérabilité CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploitée.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Palo Alto Networks | N/A | Autonomous Digital Experience Manager versions 5.6.x antérieures à 5.6.7 sur macOS | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8 sur Linux (disponibilité prévue pour le 11 juillet 2025) | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8-h2 (6.2.8-c243) sur macOS et Windows | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.3.x antérieures à 6.3.3-h1 (6.3.3-c650) sur macOS et Windows | ||
| Palo Alto Networks | Prisma Access Browser | Prisma Access Browser versions antérieures à 138.33.5.97 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Autonomous Digital Experience Manager versions 5.6.x ant\u00e9rieures \u00e0 5.6.7 sur macOS",
"product": {
"name": "N/A",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8 sur Linux (disponibilit\u00e9 pr\u00e9vue pour le 11 juillet 2025)",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8-h2 (6.2.8-c243) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x ",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.3.x ant\u00e9rieures \u00e0 6.3.3-h1 (6.3.3-c650) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "Prisma Access Browser versions ant\u00e9rieures \u00e0 138.33.5.97",
"product": {
"name": "Prisma Access Browser",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2020-13434",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13434"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2025-5959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5959"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2021-20305",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20305"
},
{
"name": "CVE-2025-6192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6192"
},
{
"name": "CVE-2019-5827",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5827"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2025-0140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0140"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2025-6557",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6557"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2020-15358",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15358"
},
{
"name": "CVE-2025-0139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0139"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2019-13751",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13751"
},
{
"name": "CVE-2025-0141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0141"
},
{
"name": "CVE-2025-6556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6556"
},
{
"name": "CVE-2023-27536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27536"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2019-13750",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13750"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2024-1086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1086"
},
{
"name": "CVE-2025-6191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6191"
},
{
"name": "CVE-2025-6554",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6554"
},
{
"name": "CVE-2025-5958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5958"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2019-19603",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19603"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2020-13435",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13435"
},
{
"name": "CVE-2025-6555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6555"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0582",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Palo Alto Networks. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n\nPalo Alto Networks indique que la vuln\u00e9rabilit\u00e9 CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploit\u00e9e.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Palo Alto Networks",
"vendor_advisories": [
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0139",
"url": "https://security.paloaltonetworks.com/CVE-2025-0139"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0140",
"url": "https://security.paloaltonetworks.com/CVE-2025-0140"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0012",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0012"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0141",
"url": "https://security.paloaltonetworks.com/CVE-2025-0141"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0013",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0013"
}
]
}
CERTFR-2022-AVI-591
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Plus versions antérieures à 10.1.11 | ||
| IBM | Spectrum | IBM Spectrum Protect Client versions antérieures à 8.1.1.15 | ||
| IBM | N/A | IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0 | ||
| IBM | Db2 | IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-29368",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
},
{
"name": "CVE-2021-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
},
{
"name": "CVE-2018-1099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
},
{
"name": "CVE-2021-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
},
{
"name": "CVE-2021-45485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
},
{
"name": "CVE-2022-27191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
},
{
"name": "CVE-2021-30465",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
},
{
"name": "CVE-2019-11249",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
},
{
"name": "CVE-2020-8557",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
},
{
"name": "CVE-2020-7919",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
},
{
"name": "CVE-2019-11247",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
},
{
"name": "CVE-2020-28851",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
},
{
"name": "CVE-2021-42248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
},
{
"name": "CVE-2018-1002105",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2020-15112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
},
{
"name": "CVE-2021-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
},
{
"name": "CVE-2021-25736",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
},
{
"name": "CVE-2020-27813",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
},
{
"name": "CVE-2018-17848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
},
{
"name": "CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"name": "CVE-2021-41864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
},
{
"name": "CVE-2020-36385",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
},
{
"name": "CVE-2020-25704",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
},
{
"name": "CVE-2021-25735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
},
{
"name": "CVE-2017-18367",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
},
{
"name": "CVE-2020-8564",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
},
{
"name": "CVE-2021-20206",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
},
{
"name": "CVE-2019-11246",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
},
{
"name": "CVE-2021-31916",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
},
{
"name": "CVE-2021-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
},
{
"name": "CVE-2018-1098",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
},
{
"name": "CVE-2021-28971",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
},
{
"name": "CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"name": "CVE-2022-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
},
{
"name": "CVE-2021-4002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
},
{
"name": "CVE-2021-4083",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
},
{
"name": "CVE-2021-45486",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
},
{
"name": "CVE-2020-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
},
{
"name": "CVE-2017-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
},
{
"name": "CVE-2021-4157",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
},
{
"name": "CVE-2020-15106",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
},
{
"name": "CVE-2021-43784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
},
{
"name": "CVE-2021-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
},
{
"name": "CVE-2018-17142",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
},
{
"name": "CVE-2022-0185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
},
{
"name": "CVE-2022-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-44733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
},
{
"name": "CVE-2020-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
},
{
"name": "CVE-2021-20269",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
},
{
"name": "CVE-2020-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
},
{
"name": "CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"name": "CVE-2021-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2022-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
},
{
"name": "CVE-2022-1011",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
},
{
"name": "CVE-2021-3669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
},
{
"name": "CVE-2020-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
},
{
"name": "CVE-2020-10752",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
},
{
"name": "CVE-2021-28950",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
},
{
"name": "CVE-2021-29650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
},
{
"name": "CVE-2020-36322",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
},
{
"name": "CVE-2020-28852",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
},
{
"name": "CVE-2021-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
},
{
"name": "CVE-2020-15113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2018-17847",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2020-26160",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-42836",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
},
{
"name": "CVE-2020-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2018-17143",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
},
{
"name": "CVE-2019-11841",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
},
{
"name": "CVE-2018-20699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2021-3764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
},
{
"name": "CVE-2019-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
},
{
"name": "CVE-2021-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
},
{
"name": "CVE-2021-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
},
{
"name": "CVE-2022-0850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
},
{
"name": "CVE-2021-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2021-25737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
},
{
"name": "CVE-2018-17846",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
},
{
"name": "CVE-2021-4028",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
},
{
"name": "CVE-2021-43565",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
},
{
"name": "CVE-2021-25741",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
},
{
"name": "CVE-2018-16886",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2021-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2019-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
},
{
"name": "CVE-2019-11251",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
},
{
"name": "CVE-2020-36067",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596399"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596971"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6599703"
}
]
}
CERTFR-2025-AVI-0582
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Palo Alto Networks. Elles permettent à un attaquant de provoquer une élévation de privilèges, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Palo Alto Networks indique que la vulnérabilité CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploitée.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Palo Alto Networks | N/A | Autonomous Digital Experience Manager versions 5.6.x antérieures à 5.6.7 sur macOS | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8 sur Linux (disponibilité prévue pour le 11 juillet 2025) | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8-h2 (6.2.8-c243) sur macOS et Windows | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.3.x antérieures à 6.3.3-h1 (6.3.3-c650) sur macOS et Windows | ||
| Palo Alto Networks | Prisma Access Browser | Prisma Access Browser versions antérieures à 138.33.5.97 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Autonomous Digital Experience Manager versions 5.6.x ant\u00e9rieures \u00e0 5.6.7 sur macOS",
"product": {
"name": "N/A",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8 sur Linux (disponibilit\u00e9 pr\u00e9vue pour le 11 juillet 2025)",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8-h2 (6.2.8-c243) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x ",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.3.x ant\u00e9rieures \u00e0 6.3.3-h1 (6.3.3-c650) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "Prisma Access Browser versions ant\u00e9rieures \u00e0 138.33.5.97",
"product": {
"name": "Prisma Access Browser",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2020-13434",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13434"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2025-5959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5959"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2021-20305",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20305"
},
{
"name": "CVE-2025-6192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6192"
},
{
"name": "CVE-2019-5827",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5827"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2025-0140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0140"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2025-6557",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6557"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2020-15358",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15358"
},
{
"name": "CVE-2025-0139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0139"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2019-13751",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13751"
},
{
"name": "CVE-2025-0141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0141"
},
{
"name": "CVE-2025-6556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6556"
},
{
"name": "CVE-2023-27536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27536"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2019-13750",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13750"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2024-1086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1086"
},
{
"name": "CVE-2025-6191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6191"
},
{
"name": "CVE-2025-6554",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6554"
},
{
"name": "CVE-2025-5958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5958"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2019-19603",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19603"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2020-13435",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13435"
},
{
"name": "CVE-2025-6555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6555"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0582",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Palo Alto Networks. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n\nPalo Alto Networks indique que la vuln\u00e9rabilit\u00e9 CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploit\u00e9e.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Palo Alto Networks",
"vendor_advisories": [
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0139",
"url": "https://security.paloaltonetworks.com/CVE-2025-0139"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0140",
"url": "https://security.paloaltonetworks.com/CVE-2025-0140"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0012",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0012"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0141",
"url": "https://security.paloaltonetworks.com/CVE-2025-0141"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0013",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0013"
}
]
}
alsa-2020:4694
Vulnerability from osv_almalinux
Published
2020-11-03 12:27
Modified
2020-11-03 19:50
Summary
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
-
containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)
-
QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)
-
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+2635+e4386a39"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+108+00865455"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2020:4694",
"modified": "2020-11-03T19:50:37Z",
"published": "2020-11-03T12:27:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2020-4694.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10749"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10756"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-14040"
}
],
"related": [
"CVE-2020-10749",
"CVE-2020-10756",
"CVE-2020-14040"
],
"summary": "Moderate: container-tools:rhel8 security, bug fix, and enhancement update"
}
FKIE_CVE-2020-14040
Vulnerability from fkie_nvd - Published: 2020-06-17 20:15 - Updated: 2024-11-21 05:02
Severity ?
Summary
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| golang | text | * | |
| fedoraproject | fedora | 32 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C111DDBC-C8B1-498F-8F36-C8AB6E1134D7",
"versionEndExcluding": "0.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
},
{
"lang": "es",
"value": "El paquete x/text anterior a la versi\u00f3n 0.3.3 para Go tiene una vulnerabilidad en la codificaci\u00f3n/unicode que podr\u00eda llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podr\u00eda proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la funci\u00f3n String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String"
}
],
"id": "CVE-2020-14040",
"lastModified": "2024-11-21T05:02:25.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-17T20:15:09.993",
"references": [
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-5RCV-M4M3-HFH7
Vulnerability from github – Published: 2021-05-18 18:34 – Updated: 2024-05-20 19:24
VLAI?
Summary
golang.org/x/text Infinite loop
Details
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Specific Go Packages Affected
golang.org/x/text/encoding/unicode golang.org/x/text/transform
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/text"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14040"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T14:54:58Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.\n\n### Specific Go Packages Affected\ngolang.org/x/text/encoding/unicode\ngolang.org/x/text/transform",
"id": "GHSA-5rcv-m4m3-hfh7",
"modified": "2024-05-20T19:24:15Z",
"published": "2021-05-18T18:34:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/39491"
},
{
"type": "WEB",
"url": "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "WEB",
"url": "https://go-review.googlesource.com/c/text/+/238238"
},
{
"type": "WEB",
"url": "https://go.dev/cl/238238"
},
{
"type": "WEB",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/text Infinite loop"
}
GSD-2020-14040
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-14040",
"description": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"id": "GSD-2020-14040",
"references": [
"https://www.suse.com/security/cve/CVE-2020-14040.html",
"https://access.redhat.com/errata/RHSA-2021:3140",
"https://access.redhat.com/errata/RHSA-2021:2039",
"https://access.redhat.com/errata/RHSA-2021:1369",
"https://access.redhat.com/errata/RHSA-2021:1168",
"https://access.redhat.com/errata/RHSA-2021:1129",
"https://access.redhat.com/errata/RHSA-2021:0980",
"https://access.redhat.com/errata/RHSA-2021:0799",
"https://access.redhat.com/errata/RHSA-2021:0420",
"https://access.redhat.com/errata/RHSA-2020:5635",
"https://access.redhat.com/errata/RHSA-2020:5633",
"https://access.redhat.com/errata/RHSA-2020:5606",
"https://access.redhat.com/errata/RHSA-2020:5605",
"https://access.redhat.com/errata/RHSA-2020:5198",
"https://access.redhat.com/errata/RHSA-2020:5149",
"https://access.redhat.com/errata/RHSA-2020:5056",
"https://access.redhat.com/errata/RHSA-2020:5055",
"https://access.redhat.com/errata/RHSA-2020:5054",
"https://access.redhat.com/errata/RHSA-2020:4694",
"https://access.redhat.com/errata/RHSA-2020:4298",
"https://access.redhat.com/errata/RHSA-2020:4297",
"https://access.redhat.com/errata/RHSA-2020:4214",
"https://access.redhat.com/errata/RHSA-2020:3783",
"https://access.redhat.com/errata/RHSA-2020:3780",
"https://access.redhat.com/errata/RHSA-2020:3727",
"https://access.redhat.com/errata/RHSA-2020:3665",
"https://access.redhat.com/errata/RHSA-2020:3578",
"https://access.redhat.com/errata/RHSA-2020:3372",
"https://access.redhat.com/errata/RHSA-2020:3369",
"https://access.redhat.com/errata/RHSA-2020:3087",
"https://alas.aws.amazon.com/cve/html/CVE-2020-14040.html",
"https://linux.oracle.com/cve/CVE-2020-14040.html",
"https://ubuntu.com/security/CVE-2020-14040"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-14040"
],
"details": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"id": "GSD-2020-14040",
"modified": "2023-12-13T01:21:59.890740Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.3.3",
"affected_versions": "All versions before 0.3.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-835",
"CWE-937"
],
"date": "2020-11-18",
"description": "The `x/text` package for Go has a vulnerability in `encoding/unicode` that could lead to the `UTF-16` decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a `UTF16` decoder instantiated with `UseBOM` or `ExpectBOM` to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to `golang.org/x/text/transform.String`.",
"fixed_versions": [
"v0.3.3"
],
"identifier": "CVE-2020-14040",
"identifiers": [
"CVE-2020-14040"
],
"not_impacted": "All versions starting from 0.3.3",
"package_slug": "go/golang.org/x/text",
"pubdate": "2020-06-17",
"solution": "Upgrade to version 0.3.3 or above.",
"title": "Loop with Unreachable Exit Condition (Infinite Loop)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
],
"uuid": "8ab0265a-d1a9-4085-a661-0d9d9931f0ad"
},
{
"affected_range": "\u003c0.3.3",
"affected_versions": "All versions before 0.3.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-835",
"CWE-937"
],
"date": "2021-05-18",
"description": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"fixed_versions": [
"0.3.3"
],
"identifier": "CVE-2020-14040",
"identifiers": [
"GHSA-5rcv-m4m3-hfh7",
"CVE-2020-14040"
],
"not_impacted": "All versions starting from 0.3.3",
"package_slug": "go/golang.org/x/text/encoding/unicode",
"pubdate": "2021-05-18",
"solution": "Upgrade to version 0.3.3 or above.",
"title": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"https://github.com/golang/go/issues/39491",
"https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e",
"https://github.com/advisories/GHSA-5rcv-m4m3-hfh7"
],
"uuid": "c90a0e0c-5518-452d-9d0d-2b4fda034e75"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.3.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-11-18T14:44Z",
"publishedDate": "2020-06-17T20:15Z"
}
}
}
RHSA-2020:3087
Vulnerability from csaf_redhat - Published: 2020-07-22 07:33 - Updated: 2026-05-04 21:01Summary
Red Hat Security Advisory: Red Hat OpenShift Jaeger 1.17.5 container images security update
Severity
Moderate
Notes
Topic: An update for jaeger-all-in-one-rhel7-container, jaeger-agent-rhel7-container, jaeger-collector-rhel7-container, jaeger-query-rhel7-container, jaeger-ingester-rhel7-container and jaeger-rhel7-operator-container is now available for Jaeger-1.17.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.
Security Fix(es):
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jaeger-all-in-one-rhel7-container, jaeger-agent-rhel7-container, jaeger-collector-rhel7-container, jaeger-query-rhel7-container, jaeger-ingester-rhel7-container and jaeger-rhel7-operator-container is now available for Jaeger-1.17.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Jaeger is Red Hat\u0027s distribution of the Jaeger project,\ntailored for installation into an on-premise OpenShift Container Platform\ninstallation.\n\nSecurity Fix(es):\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3087",
"url": "https://access.redhat.com/errata/RHSA-2020:3087"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "TRACING-1300",
"url": "https://issues.redhat.com/browse/TRACING-1300"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3087.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Jaeger 1.17.5 container images security update",
"tracking": {
"current_release_date": "2026-05-04T21:01:39+00:00",
"generator": {
"date": "2026-05-04T21:01:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2020:3087",
"initial_release_date": "2020-07-22T07:33:26+00:00",
"revision_history": [
{
"date": "2020-07-22T07:33:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-22T07:33:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T21:01:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Jaeger 1.17",
"product": {
"name": "Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jaeger:1.17::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Jaeger"
},
{
"branches": [
{
"category": "product_version",
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product": {
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product_id": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-agent-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product": {
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product_id": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product": {
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product_id": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-collector-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product": {
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product_id": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product": {
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product_id": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-query-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product": {
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product_id": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-rhel7-operator\u0026tag=1.17.5-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64"
},
"product_reference": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64"
},
"product_reference": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64"
},
"product_reference": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64"
},
"product_reference": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64"
},
"product_reference": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
},
"product_reference": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-22T07:33:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://docs.openshift.com/container-platform/4.4/jaeger/jaeger_install/rhbjaeger-updating.html",
"product_ids": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3087"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
RHSA-2020:3369
Vulnerability from csaf_redhat - Published: 2020-08-06 20:19 - Updated: 2026-05-16 02:02Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update
Severity
Moderate
Notes
Topic: An update is now available for OpenShift Service Mesh 1.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
* jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* macaron: open redirect in the static handler (CVE-2020-12666)
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.
7.4 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
7.5 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
6.1 (Medium)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Service Mesh 1.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\n* macaron: open redirect in the static handler (CVE-2020-12666)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3369",
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "1850034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "1857412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3369.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update",
"tracking": {
"current_release_date": "2026-05-16T02:02:52+00:00",
"generator": {
"date": "2026-05-16T02:02:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:3369",
"initial_release_date": "2020-08-06T20:19:17+00:00",
"revision_history": [
{
"date": "2020-08-06T20:19:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-06T20:19:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-16T02:02:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Service Mesh 1.1",
"product": {
"name": "OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.1::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 1.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "ior-0:1.1.6-1.el8.x86_64",
"product": {
"name": "ior-0:1.1.6-1.el8.x86_64",
"product_id": "ior-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-citadel@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-galley@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-istioctl@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-mixc@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-mixs@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-pilot-agent@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-sidecar-injector@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product_id": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product_id": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product": {
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product_id": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana-prometheus@6.4.3-13.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product": {
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product_id": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product_id": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ior-0:1.1.6-1.el8.src",
"product": {
"name": "ior-0:1.1.6-1.el8.src",
"product_id": "ior-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-0:1.1.6-1.el8.src",
"product": {
"name": "servicemesh-0:1.1.6-1.el8.src",
"product_id": "servicemesh-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product_id": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product_id": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-cni-0:1.1.6-1.el8.src",
"product": {
"name": "servicemesh-cni-0:1.1.6-1.el8.src",
"product_id": "servicemesh-cni-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-operator-0:1.1.6-2.el8.src",
"product": {
"name": "servicemesh-operator-0:1.1.6-2.el8.src",
"product_id": "servicemesh-operator-0:1.1.6-2.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product_id": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.src as a component of Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src"
},
"product_reference": "kiali-0:v1.12.10.redhat2-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64 as a component of Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64"
},
"product_reference": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ior-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src"
},
"product_reference": "ior-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ior-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64"
},
"product_reference": "ior-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src"
},
"product_reference": "servicemesh-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-cni-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src"
},
"product_reference": "servicemesh-cni-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src"
},
"product_reference": "servicemesh-grafana-0:6.4.3-13.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64"
},
"product_reference": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64"
},
"product_reference": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-operator-0:1.1.6-2.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src"
},
"product_reference": "servicemesh-operator-0:1.1.6-2.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64"
},
"product_reference": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src"
},
"product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64"
},
"product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8203",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-07-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1857412"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-lodash: prototype pollution in zipObjectDeep function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8203"
},
{
"category": "external",
"summary": "RHBZ#1857412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/712065",
"url": "https://hackerone.com/reports/712065"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1523",
"url": "https://www.npmjs.com/advisories/1523"
}
],
"release_date": "2020-04-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-lodash: prototype pollution in zipObjectDeep function"
},
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2020-12666",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850034"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in macaron. Path URLs aren\u0027t cleaned before being redirected creating an open redirect in the static handler.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "macaron: open redirect in the static handler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.\n\nRed Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12666"
},
{
"category": "external",
"summary": "RHBZ#1850034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12666",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12666"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666"
}
],
"release_date": "2020-05-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "macaron: open redirect in the static handler"
},
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…