Action not permitted
Modal body text goes here.
CVE-2020-7720
Vulnerability from cvelistv5
Published
2020-09-01 09:35
Modified
2024-09-16 17:49
Severity ?
EPSS score ?
Summary
Prototype Pollution
References
| ▼ | URL | Tags | |
|---|---|---|---|
| report@snyk.io | https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md | Release Notes, Third Party Advisory | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293 | Exploit, Third Party Advisory | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 | Exploit, Third Party Advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| n/a | node-forge |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:00.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-forge",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "NerdJS"
}
],
"datePublic": "2020-09-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-02T19:13:19",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
}
],
"title": "Prototype Pollution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-09-01T09:30:33.465829Z",
"ID": "CVE-2020-7720",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node-forge",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "NerdJS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"name": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7720",
"datePublished": "2020-09-01T09:35:12.869324Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T17:49:31.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-7720\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2020-09-01T10:15:10.607\",\"lastModified\":\"2022-12-02T19:53:32.713\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.\"},{\"lang\":\"es\",\"value\":\"El paquete node-forge en versiones anteriores a la 0.10.0 es vulnerable a la contaminaci\u00f3n por prototipos a trav\u00e9s de la funci\u00f3n util.setPath. Nota: La versi\u00f3n 0.10.0 es un cambio radical que elimina las funciones vulnerables\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"0.10.0\",\"matchCriteriaId\":\"5F718E41-2DD0-4E79-B345-C1EE8A1BE8E6\"}]}]}],\"references\":[{\"url\":\"https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md\",\"source\":\"report@snyk.io\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
ghsa-92xj-mqp7-vmcj
Vulnerability from github
Published
2020-09-14 21:42
Modified
2022-12-03 04:06
Severity ?
Summary
Prototype Pollution in node-forge
Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.
{
"affected": [
{
"ecosystem_specific": {
"affected_functions": [
"(node-forge).util.setPath"
]
},
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7720"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-14T21:41:51Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "HIGH"
},
"details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GHSA-92xj-mqp7-vmcj",
"modified": "2022-12-03T04:06:21Z",
"published": "2020-09-14T21:42:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in node-forge"
}
gsd-2020-7720
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-7720",
"description": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GSD-2020-7720",
"references": [
"https://access.redhat.com/errata/RHSA-2020:5605",
"https://access.redhat.com/errata/RHSA-2020:5249"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-7720"
],
"details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GSD-2020-7720",
"modified": "2023-12-13T01:21:52.098144Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-09-01T09:30:33.465829Z",
"ID": "CVE-2020-7720",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node-forge",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "NerdJS"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"name": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.10.0",
"affected_versions": "All versions before 0.10.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2021-07-21",
"description": "The package node-forge is vulnerable to Prototype Pollution via the `util.setPath` function. Note, it is a breaking change removing the vulnerable functions.",
"fixed_versions": [
"0.10.0"
],
"identifier": "CVE-2020-7720",
"identifiers": [
"CVE-2020-7720",
"GHSA-wxgw-qj99-44c2",
"GMS-2022-68"
],
"not_impacted": "All versions starting from 0.10.0",
"package_slug": "npm/node-forge",
"pubdate": "2020-09-01",
"solution": "Upgrade to version 0.10.0 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-7720",
"https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2",
"https://github.com/advisories/GHSA-wxgw-qj99-44c2"
],
"uuid": "1e2a127c-e49e-4949-9f09-c09930fc2ffb"
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions before 0.10.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-01-08",
"description": "### Impact\n`forge.util.setPath` had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.\n\n### Patches\nThe `forge.util.setPath` API and related functions were removed in 0.10.0.\n\n### Workarounds\nDon\u0027t call `forge.util.setPath` directly or indirectly with untrusted keys.\n\n### References\n- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.",
"fixed_versions": [
"0.10.0"
],
"identifier": "GMS-2022-68",
"identifiers": [
"GHSA-wxgw-qj99-44c2",
"GMS-2022-68",
"CVE-2020-7720"
],
"not_impacted": "All versions starting from 0.10.0",
"package_slug": "npm/node-forge",
"pubdate": "2022-01-08",
"solution": "Upgrade to version 0.10.0 or above.",
"title": "Duplicate of ./npm/node-forge/CVE-2020-7720.yml",
"urls": [
"https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2",
"https://github.com/advisories/GHSA-wxgw-qj99-44c2"
],
"uuid": "bffafc40-e147-4d38-9cb0-490ab19ab131"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndExcluding": "0.10.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2020-7720"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"name": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4
}
},
"lastModifiedDate": "2022-12-02T19:53Z",
"publishedDate": "2020-09-01T10:15Z"
}
}
}
rhsa-2020_5249
Vulnerability from csaf_redhat
Published
2020-11-30 14:12
Modified
2024-11-22 15:53
Summary
Red Hat Security Advisory: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Notes
Topic
Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Details
* Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)
* Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP(s) requests by default
* Updated several dependencies of Ansible Tower's User Interface to address (CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)
* Updated to the latest version of python-psutil to address CVE-2019-18874
* Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases
* Fixed workflows to no longer prevent certain users from being able to edit approval nodes
* Fixed confusing behavior for social auth logins across distinct browser tabs
* Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container",
"title": "Topic"
},
{
"category": "general",
"text": "* Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)\n* Improved Ansible Tower\u0027s web service configuration to allow for processing more simultaneous HTTP(s) requests by default\n* Updated several dependencies of Ansible Tower\u0027s User Interface to address (CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)\n* Updated to the latest version of python-psutil to address CVE-2019-18874\n* Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases\n* Fixed workflows to no longer prevent certain users from being able to edit approval nodes\n* Fixed confusing behavior for social auth logins across distinct browser tabs\n* Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:5249",
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_5249.json"
}
],
"title": "Red Hat Security Advisory: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container",
"tracking": {
"current_release_date": "2024-11-22T15:53:00+00:00",
"generator": {
"date": "2024-11-22T15:53:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:5249",
"initial_release_date": "2020-11-30T14:12:30+00:00",
"revision_history": [
{
"date": "2020-11-30T14:12:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-11-30T14:12:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T15:53:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ansible Tower 3.7 for RHEL 7",
"product": {
"name": "Red Hat Ansible Tower 3.7 for RHEL 7",
"product_id": "7Server-Ansible-Tower-3.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ansible_tower:3.7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ansible Tower"
},
{
"branches": [
{
"category": "product_version",
"name": "ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64",
"product": {
"name": "ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64",
"product_id": "ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5?arch=amd64\u0026repository_url=registry.redhat.io/ansible-tower-37/ansible-tower-rhel7\u0026tag=3.7.4-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64 as a component of Red Hat Ansible Tower 3.7 for RHEL 7",
"product_id": "7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
},
"product_reference": "ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64",
"relates_to_product_reference": "7Server-Ansible-Tower-3.7"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Riccardo Schirone"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-18874",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2019-11-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1772014"
}
],
"notes": [
{
"category": "description",
"text": "A double free issue has been discovered in python-psutil because of the mishandling of refcounts while converting system data into Python objects in functions like psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(), and others. In particular cases, a local attacker may be able to get code execution by manipulating system resources that python-psutil then tries to convert.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-psutil: Double free because of refcount mishandling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-18874"
},
{
"category": "external",
"summary": "RHBZ#1772014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772014"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-18874",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-18874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18874"
}
],
"release_date": "2019-11-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-psutil: Double free because of refcount mishandling"
},
{
"cve": "CVE-2020-7676",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1849206"
}
],
"notes": [
{
"category": "description",
"text": "A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\\\u003coption\\\u003e\" elements in \"\\\u003cselect\\\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-angular: XSS due to regex-based HTML replacement",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7676"
},
{
"category": "external",
"summary": "RHBZ#1849206",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849206"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7676",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7676"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7676",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7676"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058",
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
}
],
"release_date": "2020-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-angular: XSS due to regex-based HTML replacement"
},
{
"cve": "CVE-2020-7720",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-09-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1874606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-node-forge. A Prototype Pollution via the util.setPath function is possible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-node-forge: prototype pollution via the util.setPath function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Openshift Container Storage 4 the noobaa-core container includes the affected version of node-forge as a dependency of google-p12-pem, however the vulnerable function `util.setPath` is not being used and hence this issue has been rated as having a security impact of Low.\n\nIn OpenShift Container Platform (OCP) the prometheus container is behind OpenShift OAuth restricting access to the vulnerable node-forge library to authenticated users only, therefore the impact is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7720"
},
{
"category": "external",
"summary": "RHBZ#1874606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7720",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"release_date": "2020-09-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-node-forge: prototype pollution via the util.setPath function"
},
{
"cve": "CVE-2020-7743",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1887999"
}
],
"notes": [
{
"category": "description",
"text": "The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mathjs: prototype pollution via the deepExtend function that runs upon configuration updates",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7743"
},
{
"category": "external",
"summary": "RHBZ#1887999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887999"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7743",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7743"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7743",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7743"
}
],
"release_date": "2020-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mathjs: prototype pollution via the deepExtend function that runs upon configuration updates"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-11-30T14:12:30+00:00",
"details": "For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html",
"product_ids": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5249"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-Ansible-Tower-3.7:ansible-tower-37/ansible-tower-rhel7@sha256:46d02d82c8b89dc22259fd4d8ea2febd9c64427239806da48f97b0c96be157e5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
}
]
}
rhsa-2020_5605
Vulnerability from csaf_redhat
Published
2020-12-17 19:42
Modified
2024-11-24 20:21
Summary
Red Hat Security Advisory: Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update
Notes
Topic
Updated images are now available for Red Hat OpenShift Container Storage 4.6.0 on Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.
These updated images include numerous security fixes, bug fixes, and enhancements.
Security Fix(es):
* nodejs-node-forge: prototype pollution via the util.setPath function (CVE-2020-7720)
* nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS (CVE-2020-8237)
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Users are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.6/html/4.6_release_notes/index
All Red Hat OpenShift Container Storage users are advised to upgrade to
these updated images.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift Container Storage 4.6.0 on Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.\n\nThese updated images include numerous security fixes, bug fixes, and enhancements. \n\nSecurity Fix(es):\n\n* nodejs-node-forge: prototype pollution via the util.setPath function (CVE-2020-7720)\n\n* nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS (CVE-2020-8237)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nUsers are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.6/html/4.6_release_notes/index\n\nAll Red Hat OpenShift Container Storage users are advised to upgrade to\nthese updated images.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:5605",
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1806266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1806266"
},
{
"category": "external",
"summary": "1813506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813506"
},
{
"category": "external",
"summary": "1817438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817438"
},
{
"category": "external",
"summary": "1817850",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817850"
},
{
"category": "external",
"summary": "1827157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827157"
},
{
"category": "external",
"summary": "1829055",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829055"
},
{
"category": "external",
"summary": "1833153",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833153"
},
{
"category": "external",
"summary": "1836299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1836299"
},
{
"category": "external",
"summary": "1842254",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842254"
},
{
"category": "external",
"summary": "1845976",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845976"
},
{
"category": "external",
"summary": "1849771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849771"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "1854500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854500"
},
{
"category": "external",
"summary": "1854501",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854501"
},
{
"category": "external",
"summary": "1854503",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854503"
},
{
"category": "external",
"summary": "1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "1858195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858195"
},
{
"category": "external",
"summary": "1859183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859183"
},
{
"category": "external",
"summary": "1859229",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859229"
},
{
"category": "external",
"summary": "1859478",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859478"
},
{
"category": "external",
"summary": "1860022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860022"
},
{
"category": "external",
"summary": "1860034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860034"
},
{
"category": "external",
"summary": "1860670",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860670"
},
{
"category": "external",
"summary": "1860848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860848"
},
{
"category": "external",
"summary": "1861780",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1861780"
},
{
"category": "external",
"summary": "1865938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865938"
},
{
"category": "external",
"summary": "1867024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867024"
},
{
"category": "external",
"summary": "1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "1868060",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868060"
},
{
"category": "external",
"summary": "1868703",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868703"
},
{
"category": "external",
"summary": "1869411",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869411"
},
{
"category": "external",
"summary": "1870061",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870061"
},
{
"category": "external",
"summary": "1870338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870338"
},
{
"category": "external",
"summary": "1870631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870631"
},
{
"category": "external",
"summary": "1872119",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1872119"
},
{
"category": "external",
"summary": "1872696",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1872696"
},
{
"category": "external",
"summary": "1873864",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873864"
},
{
"category": "external",
"summary": "1874606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874606"
},
{
"category": "external",
"summary": "1875476",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875476"
},
{
"category": "external",
"summary": "1877339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877339"
},
{
"category": "external",
"summary": "1877371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877371"
},
{
"category": "external",
"summary": "1878153",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1878153"
},
{
"category": "external",
"summary": "1878714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1878714"
},
{
"category": "external",
"summary": "1878853",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1878853"
},
{
"category": "external",
"summary": "1879008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879008"
},
{
"category": "external",
"summary": "1879072",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879072"
},
{
"category": "external",
"summary": "1879919",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879919"
},
{
"category": "external",
"summary": "1880255",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1880255"
},
{
"category": "external",
"summary": "1881028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881028"
},
{
"category": "external",
"summary": "1881071",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881071"
},
{
"category": "external",
"summary": "1882397",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882397"
},
{
"category": "external",
"summary": "1883253",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883253"
},
{
"category": "external",
"summary": "1883398",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883398"
},
{
"category": "external",
"summary": "1883767",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883767"
},
{
"category": "external",
"summary": "1883810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883810"
},
{
"category": "external",
"summary": "1883927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883927"
},
{
"category": "external",
"summary": "1885175",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885175"
},
{
"category": "external",
"summary": "1885428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885428"
},
{
"category": "external",
"summary": "1885648",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885648"
},
{
"category": "external",
"summary": "1885971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885971"
},
{
"category": "external",
"summary": "1886308",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886308"
},
{
"category": "external",
"summary": "1886348",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886348"
},
{
"category": "external",
"summary": "1886551",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886551"
},
{
"category": "external",
"summary": "1886709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886709"
},
{
"category": "external",
"summary": "1886859",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886859"
},
{
"category": "external",
"summary": "1886873",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886873"
},
{
"category": "external",
"summary": "1888583",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888583"
},
{
"category": "external",
"summary": "1888593",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888593"
},
{
"category": "external",
"summary": "1888614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888614"
},
{
"category": "external",
"summary": "1889441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889441"
},
{
"category": "external",
"summary": "1889683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889683"
},
{
"category": "external",
"summary": "1889866",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889866"
},
{
"category": "external",
"summary": "1890183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1890183"
},
{
"category": "external",
"summary": "1890638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1890638"
},
{
"category": "external",
"summary": "1890971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1890971"
},
{
"category": "external",
"summary": "1891856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1891856"
},
{
"category": "external",
"summary": "1892206",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892206"
},
{
"category": "external",
"summary": "1892234",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892234"
},
{
"category": "external",
"summary": "1893624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1893624"
},
{
"category": "external",
"summary": "1893691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1893691"
},
{
"category": "external",
"summary": "1893714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1893714"
},
{
"category": "external",
"summary": "1895402",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895402"
},
{
"category": "external",
"summary": "1896298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1896298"
},
{
"category": "external",
"summary": "1896831",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1896831"
},
{
"category": "external",
"summary": "1898521",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1898521"
},
{
"category": "external",
"summary": "1902627",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902627"
},
{
"category": "external",
"summary": "1904171",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904171"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_5605.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update",
"tracking": {
"current_release_date": "2024-11-24T20:21:58+00:00",
"generator": {
"date": "2024-11-24T20:21:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:5605",
"initial_release_date": "2020-12-17T19:42:16+00:00",
"revision_history": [
{
"date": "2020-12-17T19:42:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-12-17T19:42:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-24T20:21:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product": {
"name": "Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_container_storage:4.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Container Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"product": {
"name": "ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"product_id": "ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/cephcsi-rhel8\u0026tag=4.6-52.49cf5efdd.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"product": {
"name": "ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"product_id": "ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/mcg-core-rhel8\u0026tag=5.6.0-38.31e0c3c7b.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"product": {
"name": "ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"product_id": "ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/mcg-rhel8-operator\u0026tag=5.6.0-39.2279a46.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"product": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"product_id": "ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/ocs-must-gather-rhel8\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"product": {
"name": "ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"product_id": "ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/ocs-operator-bundle\u0026tag=4.6.0-7"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"product": {
"name": "ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"product_id": "ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/ocs-rhel8-operator\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x",
"product": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x",
"product_id": "ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba?arch=s390x\u0026repository_url=registry.redhat.io/ocs4/rook-ceph-rhel8-operator\u0026tag=4.6-80.1ae5ac6a.release_4.6"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"product": {
"name": "ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"product_id": "ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/cephcsi-rhel8\u0026tag=4.6-52.49cf5efdd.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"product": {
"name": "ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"product_id": "ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/mcg-core-rhel8\u0026tag=5.6.0-38.31e0c3c7b.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"product": {
"name": "ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"product_id": "ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/mcg-rhel8-operator\u0026tag=5.6.0-39.2279a46.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"product": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"product_id": "ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/ocs-must-gather-rhel8\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"product": {
"name": "ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"product_id": "ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/ocs-operator-bundle\u0026tag=4.6.0-7"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"product": {
"name": "ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"product_id": "ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/ocs-rhel8-operator\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"product": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"product_id": "ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1?arch=amd64\u0026repository_url=registry.redhat.io/ocs4/rook-ceph-rhel8-operator\u0026tag=4.6-80.1ae5ac6a.release_4.6"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"product": {
"name": "ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"product_id": "ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/cephcsi-rhel8\u0026tag=4.6-52.49cf5efdd.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"product": {
"name": "ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"product_id": "ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/mcg-core-rhel8\u0026tag=5.6.0-38.31e0c3c7b.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"product": {
"name": "ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"product_id": "ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/mcg-rhel8-operator\u0026tag=5.6.0-39.2279a46.5.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"product": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"product_id": "ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/ocs-must-gather-rhel8\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"product": {
"name": "ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"product_id": "ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/ocs-operator-bundle\u0026tag=4.6.0-7"
}
}
},
{
"category": "product_version",
"name": "ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"product": {
"name": "ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"product_id": "ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/ocs-rhel8-operator\u0026tag=4.6-76.0811c33c.release_4.6"
}
}
},
{
"category": "product_version",
"name": "ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"product": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"product_id": "ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1?arch=ppc64le\u0026repository_url=registry.redhat.io/ocs4/rook-ceph-rhel8-operator\u0026tag=4.6-80.1ae5ac6a.release_4.6"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64"
},
"product_reference": "ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le"
},
"product_reference": "ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x"
},
"product_reference": "ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x"
},
"product_reference": "ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64"
},
"product_reference": "ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
},
"product_reference": "ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le"
},
"product_reference": "ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x"
},
"product_reference": "ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64"
},
"product_reference": "ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x"
},
"product_reference": "ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64"
},
"product_reference": "ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le"
},
"product_reference": "ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64"
},
"product_reference": "ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le"
},
"product_reference": "ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
},
"product_reference": "ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x"
},
"product_reference": "ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64"
},
"product_reference": "ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le"
},
"product_reference": "ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64 as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64"
},
"product_reference": "ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le"
},
"product_reference": "ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x as a component of Red Hat OpenShift Container Storage 4.6 on RHEL-8",
"product_id": "8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
},
"product_reference": "ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x",
"relates_to_product_reference": "8Base-RH-OCS-4.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7720",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-09-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1874606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-node-forge. A Prototype Pollution via the util.setPath function is possible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-node-forge: prototype pollution via the util.setPath function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Openshift Container Storage 4 the noobaa-core container includes the affected version of node-forge as a dependency of google-p12-pem, however the vulnerable function `util.setPath` is not being used and hence this issue has been rated as having a security impact of Low.\n\nIn OpenShift Container Platform (OCP) the prometheus container is behind OpenShift OAuth restricting access to the vulnerable node-forge library to authenticated users only, therefore the impact is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
],
"known_not_affected": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7720"
},
{
"category": "external",
"summary": "RHBZ#1874606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7720",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7720"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"release_date": "2020-09-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-17T19:42:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-node-forge: prototype pollution via the util.setPath function"
},
{
"cve": "CVE-2020-8237",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-09-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1881028"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-json-bigint. A Prototype pollution in json-bigint npm may lead to a denial-of-service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Openshift Container Storage 4 the noobaa-core container includes the affected version of json-bigint as a dependency of googleapis, however the json-bigint library is not being used and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
],
"known_not_affected": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8237"
},
{
"category": "external",
"summary": "RHBZ#1881028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881028"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8237",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8237"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8237",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8237"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/916430",
"url": "https://hackerone.com/reports/916430"
}
],
"release_date": "2020-08-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-17T19:42:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-json-bigint: Prototype pollution via `__proto__` assignment could result in DoS"
},
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"known_not_affected": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-17T19:42:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
},
{
"cve": "CVE-2020-15586",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2020-07-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856953"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found Go\u0027s net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP.\n\nSimilar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low.\n\nRed Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.\n\nRed Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"known_not_affected": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-15586"
},
{
"category": "external",
"summary": "RHBZ#1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ",
"url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ"
}
],
"release_date": "2020-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-17T19:42:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS"
},
{
"cve": "CVE-2020-16845",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-08-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1867099"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low.\n\nRed Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4) components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"known_not_affected": [
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:228facfd8d353ab64a8752579b3f9a6fd0cc00b684a48de8ba4a93a41f12ae25_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:6c553f9b1826b20d599a85e336cc37ab7ea968016421f387b50f3fa0b2619d16_amd64",
"8Base-RH-OCS-4.6:ocs4/mcg-core-rhel8@sha256:de77acd77b0d96e98cade06428f562018d975204c439d1f9eb5fa861da95dd0b_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:07b8cf8f427b8012fb06f25ae6b9c914ee5afa854a12d025b027ab45a66f03dc_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:793af66664c7f9258db7b76da07d1f4359cfd00267e7b30b6e286f56fa107c9c_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-operator-bundle@sha256:863bdc2ff0e0f453db71c06996571563b662c33d711481ef9447f7b599d653b4_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-16845"
},
{
"category": "external",
"summary": "RHBZ#1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo",
"url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo"
}
],
"release_date": "2020-08-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-17T19:42:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:5605"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:492c9108e48616af210528103f20194ef29fa4cd8d9763c94d96b6f265e4469e_amd64",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:c16704fcd90730c2fb0d8de17dd88c8439167d0b05609fccacde179878941b4d_ppc64le",
"8Base-RH-OCS-4.6:ocs4/cephcsi-rhel8@sha256:cd06aed28dac2e6bfe353648f87ac36a1c026ce7a19c354641de52a88fabe634_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:7959ba718b188efd0148f75f53cf5f44c78c930dd9d42e1d956e24c626ea2750_ppc64le",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:9f0961dd0244e87ee0ac84b4c0e6429587ae4f9693f4d2eccb2aea8bfbb5c976_s390x",
"8Base-RH-OCS-4.6:ocs4/mcg-rhel8-operator@sha256:ce2193663c4a7f745297f8ffe31a5928fa4897094a33af62f0baeb5cbc16f93f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:0d5d1bd9b22e36f2631798d0de425a2d9d2733089d1236f64187e6d6b2dc8f70_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:3b6e4a5ef4f5d7d4337914aea48c763ff880b69bfc7d38c58f89df971bb5ae08_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-must-gather-rhel8@sha256:fc8f005b12eff3ffcf98c8af6990a751140c006809c1e98a55b50a56834566c2_ppc64le",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:3d3974fa0859d2515876eff3536cc02b6f38edc54f3abf95cf6d89eff15e9c03_s390x",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:672dc6d72efceb4028b8d9d5797c294d4e29cab89d1c3252fd8f67d5e695039f_amd64",
"8Base-RH-OCS-4.6:ocs4/ocs-rhel8-operator@sha256:9b31ac173c178cb1fd1615d203a734d1b1ba167ef9fad4f6385fda165a3ab010_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:24fdccaa3e922e377ab4afc5e9f1688ab9b6ad62d4f67c3d8f9eb514d57e71d1_amd64",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:4ad4f6e105496f0cb6e5153bdcc67af0b580e5edd894d2481d8c8d3fe7a8a7c1_ppc64le",
"8Base-RH-OCS-4.6:ocs4/rook-ceph-rhel8-operator@sha256:88236806d818e3f32137ea71824133b4373829325e82ba23e0fe2f199850a3ba_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs"
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.