Action not permitted
Modal body text goes here.
CVE-2020-8203
Vulnerability from cvelistv5
Source | URL | Tags |
---|---|---|
support@hackerone.com | https://github.com/lodash/lodash/issues/4874 | Issue Tracking, Vendor Advisory |
support@hackerone.com | https://hackerone.com/reports/712065 | Exploit, Third Party Advisory |
support@hackerone.com | https://security.netapp.com/advisory/ntap-20200724-0006/ | Third Party Advisory |
support@hackerone.com | https://www.oracle.com//security-alerts/cpujul2021.html | Patch, Third Party Advisory |
support@hackerone.com | https://www.oracle.com/security-alerts/cpuApr2021.html | Patch, Third Party Advisory |
support@hackerone.com | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory |
support@hackerone.com | https://www.oracle.com/security-alerts/cpujan2022.html | Patch, Third Party Advisory |
support@hackerone.com | https://www.oracle.com/security-alerts/cpuoct2021.html | Patch, Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:56:28.214Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/712065" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/lodash/lodash/issues/4874" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "lodash", "vendor": "n/a", "versions": [ { "status": "affected", "version": "Not Fixed" } ] } ], "descriptions": [ { "lang": "en", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling (CWE-770)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:23:22", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/712065" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/lodash/lodash/issues/4874" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8203", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "lodash", "version": { "version_data": [ { "version_value": "Not Fixed" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Allocation of Resources Without Limits or Throttling (CWE-770)" } ] } ] }, "references": { "reference_data": [ { "name": "https://hackerone.com/reports/712065", "refsource": "MISC", "url": "https://hackerone.com/reports/712065" }, { "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20200724-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "name": "https://github.com/lodash/lodash/issues/4874", "refsource": "MISC", "url": "https://github.com/lodash/lodash/issues/4874" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8203", "datePublished": "2020-07-15T16:10:27", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:28.214Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-8203\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2020-07-15T17:15:11.797\",\"lastModified\":\"2024-01-21T02:37:13.193\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.\"},{\"lang\":\"es\",\"value\":\"Un ataque de contaminaci\u00f3n de prototipo cuando se utiliza _.zipObjectDeep en lodash versiones anteriores a 4.17.20\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]},{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.17.20\",\"matchCriteriaId\":\"5320B76A-C335-4F3B-A589-73CC64033FFB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CF9A061-2421-426D-9854-0A4E55B2961D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F95EDC3D-54BB-48F9-82F2-7CCF335FCA78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B72B735F-4E52-484A-9C2C-23E6E2070385\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B36A1D4-F391-4EE3-9A65-0A10568795BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0275F820-40BE-47B8-B167-815A55DF578E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C8E145E-1DF0-4B18-B625-F04DF71F6ACF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EABAFD73-150F-4DFE-B721-29EB4475D979\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A45D47B-3401-49CF-92EE-79D007D802A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33605127-1352-4285-AE96-B51156B70613\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA7423C4-7016-429B-997F-61E7AEB8F696\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7BC8689-5E87-43FE-ADE8-5907F581B08E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A8420D4-AAF1-44AA-BF28-48EE3ED310B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FB80AC5-35F2-4703-AD93-416B46972EEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"19DAAEFF-AB4A-4D0D-8C86-D2F2811B53B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E14324D-B9EE-4C06-ACC7-255189ED6300\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBEBB60F-6EAB-4AE5-B777-5044C657FBA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B185C1EA-71E6-4972-8637-08A33CC00841\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1534C11-E3F5-49F3-8F8D-7C5C90951E69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1111BCFD-E336-4B31-A87E-76C684AC6DE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.1.2\",\"matchCriteriaId\":\"D0DBC938-A782-433F-8BF1-CA250C332AA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"790A89FD-6B86-49AE-9B4F-AE7262915E13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E39D442D-1997-49AF-8B02-5640BE2A26CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC7DB86F-3FAA-43C1-9C44-7CC5FB34419E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C416FD3-2E2F-4BBC-BD5F-F896825883F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D886339E-EDB2-4879-BD54-1800E4CA9CAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62A561CF-09BE-4EDB-AAB7-4B057C0B0E44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ECF63433-30CC-4E0D-B66A-FD160111763B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F2BFCE3-D743-4AC6-8FEC-75CAF66BFB65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8D05530-BFC7-4652-B387-BC931F43AB5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"348EEE70-E114-4720-AAAF-E77DE5C9A2D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3DCDD73B-57B1-4580-B922-5662E3AC13B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B317147-064A-4786-B3D6-CDE1653E067E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.2.6.0\",\"matchCriteriaId\":\"9722362B-027B-4311-8F3A-287AE1199019\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8AF00C6-B97F-414D-A8DF-057E6BFD8597\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.12.0\",\"versionEndIncluding\":\"17.12.11\",\"matchCriteriaId\":\"8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.8.0\",\"versionEndIncluding\":\"18.8.12\",\"matchCriteriaId\":\"301E7158-9090-467C-B3B4-30A8DB3B395D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.12.0\",\"versionEndIncluding\":\"19.12.11\",\"matchCriteriaId\":\"BBEFACB1-C8EA-492B-8F85-A564DB363C83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.12.0\",\"versionEndIncluding\":\"20.12.7\",\"matchCriteriaId\":\"E6B70E72-B9FC-4E49-8EDD-29C7E14F5792\"}]}]}],\"references\":[{\"url\":\"https://github.com/lodash/lodash/issues/4874\",\"source\":\"support@hackerone.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/712065\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200724-0006/\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}" } }
wid-sec-w-2022-1375
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JFrog Artifactory ist eine universelle DevOps-L\u00f6sung.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-1375 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json" }, { "category": "self", "summary": "WID-SEC-2022-1375 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", "url": "https://access.redhat.com/errata/RHSA-2023:5165" }, { "category": "external", "summary": "JFrog Fixed Security Vulnerabilities vom 2022-09-11", "url": "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities" }, { "category": "external", "summary": "JFrog Fixed Security Vulnerabilities", "url": "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", "url": "https://access.redhat.com/errata/RHSA-2022:6782" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", "url": "https://ubuntu.com/security/notices/USN-5776-1" } ], "source_lang": "en-US", "title": "JFrog Artifactory: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-09-14T22:00:00.000+00:00", "generator": { "date": "2024-02-15T16:58:09.779+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-1375", "initial_release_date": "2022-09-11T22:00:00.000+00:00", "revision_history": [ { "date": "2022-09-11T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2022-10-03T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates aufgenommen" }, { "date": "2022-10-04T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-12-12T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2022-12-20T23:00:00.000+00:00", "number": "5", "summary": "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE" }, { "date": "2023-09-14T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "6" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "JFrog Artifactory", "product": { "name": "JFrog Artifactory", "product_id": "T024527", "product_identification_helper": { "cpe": "cpe:/a:jfrog:artifactory:-" } } }, { "category": "product_name", "name": "JFrog Artifactory \u003c 7.46.3", "product": { "name": "JFrog Artifactory \u003c 7.46.3", "product_id": "T024764", "product_identification_helper": { "cpe": "cpe:/a:jfrog:artifactory:7.46.3" } } } ], "category": "product_name", "name": "Artifactory" } ], "category": "vendor", "name": "JFrog" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2013-4517", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2013-4517" }, { "cve": "CVE-2013-7285", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2013-7285" }, { "cve": "CVE-2014-0107", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2014-0107" }, { "cve": "CVE-2014-0114", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2014-0114" }, { "cve": "CVE-2014-3577", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2014-3577" }, { "cve": "CVE-2014-3623", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2014-3623" }, { "cve": "CVE-2015-0227", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2015-0227" }, { "cve": "CVE-2015-2575", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2015-2575" }, { "cve": "CVE-2015-3253", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2015-3253" }, { "cve": "CVE-2015-4852", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2015-4852" }, { "cve": "CVE-2015-7940", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2015-7940" }, { "cve": "CVE-2016-10750", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-10750" }, { "cve": "CVE-2016-3092", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-3092" }, { "cve": "CVE-2016-3674", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-3674" }, { "cve": "CVE-2016-6501", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-6501" }, { "cve": "CVE-2016-8735", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-8735" }, { "cve": "CVE-2016-8745", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2016-8745" }, { "cve": "CVE-2017-1000487", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-1000487" }, { "cve": "CVE-2017-15095", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-15095" }, { "cve": "CVE-2017-17485", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-17485" }, { "cve": "CVE-2017-18214", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-18214" }, { "cve": "CVE-2017-18640", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-18640" }, { "cve": "CVE-2017-7525", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-7525" }, { "cve": "CVE-2017-7657", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-7657" }, { "cve": "CVE-2017-7957", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-7957" }, { "cve": "CVE-2017-9506", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2017-9506" }, { "cve": "CVE-2018-1000206", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2018-1000206" }, { "cve": "CVE-2018-9116", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2018-9116" }, { "cve": "CVE-2019-10219", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2019-10219" }, { "cve": "CVE-2019-12402", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2019-12402" }, { "cve": "CVE-2019-17359", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2019-17359" }, { "cve": "CVE-2019-17571", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2019-17571" }, { "cve": "CVE-2019-20104", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2019-20104" }, { "cve": "CVE-2020-11996", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-11996" }, { "cve": "CVE-2020-13934", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-13934" }, { "cve": "CVE-2020-13935", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-13935" }, { "cve": "CVE-2020-13949", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-13949" }, { "cve": "CVE-2020-14340", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-14340" }, { "cve": "CVE-2020-15586", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-15586" }, { "cve": "CVE-2020-1745", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-1745" }, { "cve": "CVE-2020-17521", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-17521" }, { "cve": "CVE-2020-25649", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-25649" }, { "cve": "CVE-2020-28500", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-28500" }, { "cve": "CVE-2020-29582", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-29582" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-7226", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-7226" }, { "cve": "CVE-2020-7692", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-7692" }, { "cve": "CVE-2020-8203", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2020-8203" }, { "cve": "CVE-2021-13936", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-13936" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-21290" }, { "cve": "CVE-2021-22060", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22060" }, { "cve": "CVE-2021-22112", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22112" }, { "cve": "CVE-2021-22119", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22119" }, { "cve": "CVE-2021-22147", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22147" }, { "cve": "CVE-2021-22148", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22148" }, { "cve": "CVE-2021-22149", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22149" }, { "cve": "CVE-2021-22573", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-22573" }, { "cve": "CVE-2021-23337", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-23337" }, { "cve": "CVE-2021-25122", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-25122" }, { "cve": "CVE-2021-26291", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-26291" }, { "cve": "CVE-2021-27568", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-27568" }, { "cve": "CVE-2021-29505", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-29505" }, { "cve": "CVE-2021-30129", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-30129" }, { "cve": "CVE-2021-33037", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-33037" }, { "cve": "CVE-2021-35550", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35550" }, { "cve": "CVE-2021-35556", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35556" }, { "cve": "CVE-2021-35560", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35560" }, { "cve": "CVE-2021-35561", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35561" }, { "cve": "CVE-2021-35564", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35564" }, { "cve": "CVE-2021-35565", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35565" }, { "cve": "CVE-2021-35567", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35567" }, { "cve": "CVE-2021-35578", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35578" }, { "cve": "CVE-2021-35586", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35586" }, { "cve": "CVE-2021-35588", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35588" }, { "cve": "CVE-2021-35603", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-35603" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-3765", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-3765" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-3807" }, { "cve": "CVE-2021-38561", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-38561" }, { "cve": "CVE-2021-3859", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-3859" }, { "cve": "CVE-2021-41090", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-41090" }, { "cve": "CVE-2021-41091", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-41091" }, { "cve": "CVE-2021-42340", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-42340" }, { "cve": "CVE-2021-42550", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-42550" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2021-43797" }, { "cve": "CVE-2022-0536", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-0536" }, { "cve": "CVE-2022-22963", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-22963" }, { "cve": "CVE-2022-23632", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-23632" }, { "cve": "CVE-2022-23648", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-23648" }, { "cve": "CVE-2022-23806", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-23806" }, { "cve": "CVE-2022-24769", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-24769" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-27191", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-27191" }, { "cve": "CVE-2022-29153", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-29153" }, { "cve": "CVE-2022-32212", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-32212" }, { "cve": "CVE-2022-32213", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-32213" }, { "cve": "CVE-2022-32214", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-32214" }, { "cve": "CVE-2022-32215", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-32215" }, { "cve": "CVE-2022-32223", "notes": [ { "category": "description", "text": "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszul\u00f6sen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T024527", "67646", "T000126", "T024764" ] }, "release_date": "2022-09-11T22:00:00Z", "title": "CVE-2022-32223" } ] }
wid-sec-w-2023-1350
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Splunk Enterprise erm\u00f6glicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise in diversen Komponenten von Drittanbietern ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1350 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1350.json" }, { "category": "self", "summary": "WID-SEC-2023-1350 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1350" }, { "category": "external", "summary": "Splunk Enterprise Security Advisory SVD-2023-0613 vom 2023-06-01", "url": "https://advisory.splunk.com/advisories/SVD-2023-0613" }, { "category": "external", "summary": "IBM Security Bulletin 7008449 vom 2023-06-29", "url": "https://www.ibm.com/support/pages/node/7008449" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0487-1 vom 2024-02-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017931.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0486-1 vom 2024-02-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017932.html" } ], "source_lang": "en-US", "title": "Splunk Splunk Enterprise: Mehrere Schwachstellen in Komponenten von Drittanbietern", "tracking": { "current_release_date": "2024-02-15T23:00:00.000+00:00", "generator": { "date": "2024-02-16T09:06:57.360+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-1350", "initial_release_date": "2023-06-01T22:00:00.000+00:00", "revision_history": [ { "date": "2023-06-01T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-06-29T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-23T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-02-15T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM DB2", "product": { "name": "IBM DB2", "product_id": "5104", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:-" } } } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c 8.1.14", "product": { "name": "Splunk Splunk Enterprise \u003c 8.1.14", "product_id": "T027935", "product_identification_helper": { "cpe": "cpe:/a:splunk:splunk:8.1.14" } } }, { "category": "product_version_range", "name": "\u003c 8.2.11", "product": { "name": "Splunk Splunk Enterprise \u003c 8.2.11", "product_id": "T027936", "product_identification_helper": { "cpe": "cpe:/a:splunk:splunk:8.2.11" } } }, { "category": "product_version_range", "name": "\u003c 9.0.5", "product": { "name": "Splunk Splunk Enterprise \u003c 9.0.5", "product_id": "T027937", "product_identification_helper": { "cpe": "cpe:/a:splunk:splunk:9.0.5" } } } ], "category": "product_name", "name": "Splunk Enterprise" } ], "category": "vendor", "name": "Splunk" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-27538", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27538" }, { "cve": "CVE-2023-27537", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27537" }, { "cve": "CVE-2023-27536", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27536" }, { "cve": "CVE-2023-27535", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27535" }, { "cve": "CVE-2023-27534", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27534" }, { "cve": "CVE-2023-27533", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-27533" }, { "cve": "CVE-2023-23916", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-23916" }, { "cve": "CVE-2023-23915", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-23915" }, { "cve": "CVE-2023-23914", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-23914" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-1370" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0215", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2023-0215" }, { "cve": "CVE-2022-46175", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-46175" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-43552", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-43552" }, { "cve": "CVE-2022-43551", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-43551" }, { "cve": "CVE-2022-4304", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-4304" }, { "cve": "CVE-2022-42916", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-42916" }, { "cve": "CVE-2022-42915", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-42915" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-4200", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-4200" }, { "cve": "CVE-2022-41720", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-41720" }, { "cve": "CVE-2022-41716", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-41716" }, { "cve": "CVE-2022-41715", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-41715" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40303", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-40303" }, { "cve": "CVE-2022-40023", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-40023" }, { "cve": "CVE-2022-38900", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-38900" }, { "cve": "CVE-2022-37616", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-37616" }, { "cve": "CVE-2022-37603", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-37603" }, { "cve": "CVE-2022-37601", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-37601" }, { "cve": "CVE-2022-37599", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-37599" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-36227", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-36227" }, { "cve": "CVE-2022-35737", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-35737" }, { "cve": "CVE-2022-35260", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-35260" }, { "cve": "CVE-2022-35252", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-35252" }, { "cve": "CVE-2022-3517", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-3517" }, { "cve": "CVE-2022-33987", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-33987" }, { "cve": "CVE-2022-32221", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32221" }, { "cve": "CVE-2022-32208", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32208" }, { "cve": "CVE-2022-32207", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32207" }, { "cve": "CVE-2022-32206", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32206" }, { "cve": "CVE-2022-32205", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32205" }, { "cve": "CVE-2022-32189", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32189" }, { "cve": "CVE-2022-32148", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-32148" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-30635", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30635" }, { "cve": "CVE-2022-30634", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30634" }, { "cve": "CVE-2022-30633", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30633" }, { "cve": "CVE-2022-30632", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30632" }, { "cve": "CVE-2022-30631", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30631" }, { "cve": "CVE-2022-30630", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30630" }, { "cve": "CVE-2022-30629", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30629" }, { "cve": "CVE-2022-30580", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30580" }, { "cve": "CVE-2022-30115", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-30115" }, { "cve": "CVE-2022-29804", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-29804" }, { "cve": "CVE-2022-29526", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-29526" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-2879", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-2879" }, { "cve": "CVE-2022-28327", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-28327" }, { "cve": "CVE-2022-28131", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-28131" }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27782" }, { "cve": "CVE-2022-27781", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27781" }, { "cve": "CVE-2022-27780", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27780" }, { "cve": "CVE-2022-27779", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27779" }, { "cve": "CVE-2022-27778", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27778" }, { "cve": "CVE-2022-27776", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27776" }, { "cve": "CVE-2022-27775", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27775" }, { "cve": "CVE-2022-27774", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27774" }, { "cve": "CVE-2022-27664", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27664" }, { "cve": "CVE-2022-27191", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-27191" }, { "cve": "CVE-2022-25858", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-25858" }, { "cve": "CVE-2022-24999", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-24999" }, { "cve": "CVE-2022-24921", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-24921" }, { "cve": "CVE-2022-24675", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-24675" }, { "cve": "CVE-2022-23806", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-23806" }, { "cve": "CVE-2022-23773", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-23773" }, { "cve": "CVE-2022-23772", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-23772" }, { "cve": "CVE-2022-23491", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-23491" }, { "cve": "CVE-2022-22576", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-22576" }, { "cve": "CVE-2022-1962", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-1962" }, { "cve": "CVE-2022-1705", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2022-1705" }, { "cve": "CVE-2021-43565", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-43565" }, { "cve": "CVE-2021-3803", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-3803" }, { "cve": "CVE-2021-36976", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-36976" }, { "cve": "CVE-2021-3520", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-3520" }, { "cve": "CVE-2021-33587", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-33587" }, { "cve": "CVE-2021-33503", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-33503" }, { "cve": "CVE-2021-33502", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-33502" }, { "cve": "CVE-2021-31566", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-31566" }, { "cve": "CVE-2021-29060", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-29060" }, { "cve": "CVE-2021-27292", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-27292" }, { "cve": "CVE-2021-23382", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-23382" }, { "cve": "CVE-2021-23368", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-23368" }, { "cve": "CVE-2021-23343", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-23343" }, { "cve": "CVE-2021-22947", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22947" }, { "cve": "CVE-2021-22946", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22946" }, { "cve": "CVE-2021-22945", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22945" }, { "cve": "CVE-2021-22926", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22926" }, { "cve": "CVE-2021-22925", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22925" }, { "cve": "CVE-2021-22924", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22924" }, { "cve": "CVE-2021-22923", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22923" }, { "cve": "CVE-2021-22922", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22922" }, { "cve": "CVE-2021-22901", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22901" }, { "cve": "CVE-2021-22898", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22898" }, { "cve": "CVE-2021-22897", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22897" }, { "cve": "CVE-2021-22890", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22890" }, { "cve": "CVE-2021-22876", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-22876" }, { "cve": "CVE-2021-20095", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2021-20095" }, { "cve": "CVE-2020-8286", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8286" }, { "cve": "CVE-2020-8285", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8285" }, { "cve": "CVE-2020-8284", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8284" }, { "cve": "CVE-2020-8231", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8231" }, { "cve": "CVE-2020-8203", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8203" }, { "cve": "CVE-2020-8177", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8177" }, { "cve": "CVE-2020-8169", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8169" }, { "cve": "CVE-2020-8116", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-8116" }, { "cve": "CVE-2020-7774", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-7774" }, { "cve": "CVE-2020-7753", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-7753" }, { "cve": "CVE-2020-7662", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-7662" }, { "cve": "CVE-2020-28469", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-28469" }, { "cve": "CVE-2020-15138", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-15138" }, { "cve": "CVE-2020-13822", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2020-13822" }, { "cve": "CVE-2019-20149", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2019-20149" }, { "cve": "CVE-2019-10746", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2019-10746" }, { "cve": "CVE-2019-10744", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2019-10744" }, { "cve": "CVE-2018-25032", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2018-25032" }, { "cve": "CVE-2017-16042", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T002207", "5104" ] }, "release_date": "2023-06-01T22:00:00Z", "title": "CVE-2017-16042" } ] }
wid-sec-w-2023-2981
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen, einen Denial of Service zu verursachen oder weitere nicht definierte Auswirkungen zu erzielen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-2981 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-2981.json" }, { "category": "self", "summary": "WID-SEC-2023-2981 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2981" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2023-6939 vom 2023-11-21", "url": "https://linux.oracle.com/errata/ELSA-2023-6939.html" }, { "category": "external", "summary": "RedHat Security Advisory vom 2020-08-06", "url": "https://access.redhat.com/errata/RHSA-2020:3369" }, { "category": "external", "summary": "RedHat Security Advisory vom 2020-08-06", "url": "https://access.redhat.com/errata/RHSA-2020:3372" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:3578 vom 2020-09-08", "url": "https://access.redhat.com/errata/RHSA-2020:3578" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:1129 vom 2021-04-08", "url": "https://access.redhat.com/errata/RHSA-2021:1129" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:1168 vom 2021-04-13", "url": "https://access.redhat.com/errata/RHSA-2021:1168" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:3727 vom 2020-09-16", "url": "https://access.redhat.com/errata/RHSA-2020:3727" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:3780 vom 2020-09-21", "url": "https://access.redhat.com/errata/RHSA-2020:3780" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:3783 vom 2020-09-22", "url": "https://access.redhat.com/errata/RHSA-2020:3783" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:4297 vom 2020-10-27", "url": "https://access.redhat.com/errata/RHSA-2020:4297" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:2039 vom 2021-05-19", "url": "https://access.redhat.com/errata/RHSA-2021:2039" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:4694 vom 2020-11-04", "url": "https://access.redhat.com/errata/RHSA-2020:4694" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5054 vom 2020-11-10", "url": "https://access.redhat.com/errata/RHSA-2020:5054" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5055 vom 2020-11-10", "url": "https://access.redhat.com/errata/RHSA-2020:5055" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5149 vom 2020-11-18", "url": "https://access.redhat.com/errata/RHSA-2020:5149" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5198 vom 2020-11-24", "url": "https://access.redhat.com/errata/RHSA-2020:5198" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5606 vom 2020-12-17", "url": "https://access.redhat.com/errata/RHSA-2020:5606" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:5611 vom 2020-12-17", "url": "https://access.redhat.com/errata/RHSA-2020:5611" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:1369 vom 2021-04-26", "url": "https://access.redhat.com/errata/RHSA-2021:1369" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:0799 vom 2021-03-10", "url": "https://access.redhat.com/errata/RHSA-2021:0799" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3140 vom 2021-08-11", "url": "https://access.redhat.com/errata/RHSA-2021:3140" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3259 vom 2021-08-25", "url": "https://access.redhat.com/errata/RHSA-2021:3259" } ], "source_lang": "en-US", "title": "Red Hat OpenShift: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-11-21T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:52:09.158+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-2981", "initial_release_date": "2020-08-06T22:00:00.000+00:00", "revision_history": [ { "date": "2020-08-06T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2020-09-07T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-09-15T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-09-21T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-10-27T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-11-03T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-11-10T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-11-18T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-11-23T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-11-24T23:00:00.000+00:00", "number": "10", "summary": "Referenz(en) aufgenommen: RHSA-2020:5179" }, { "date": "2020-12-16T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-12-23T23:00:00.000+00:00", "number": "12", "summary": "Referenz(en) aufgenommen: FEDORA-2020-66E6E8D027" }, { "date": "2021-03-09T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-04-08T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-04-12T22:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-04-26T22:00:00.000+00:00", "number": "16", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-05-18T22:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-08-11T22:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-08-24T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-11-21T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Oracle Linux aufgenommen" } ], "status": "final", "version": "20" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift service mesh 1.1", "product": { "name": "Red Hat OpenShift service mesh 1.1", "product_id": "T016838", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:service_mesh_1.1" } } }, { "category": "product_name", "name": "Red Hat OpenShift service mesh 1.0", "product": { "name": "Red Hat OpenShift service mesh 1.0", "product_id": "T017057", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:service_mesh_1.0" } } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-12666", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat OpenShift. Die \"macaron\" Komponente hat einen \"Open Redirect\" Fehler im statischen Handler. Ein Angreifer kann diese Schwachstelle ausnutzen, um das Opfer unbemerkt auf eine nicht vertrauensw\u00fcrdige Seite umzuleiten. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL oder Webseite in seinem Webbrowser zu \u00f6ffnen." } ], "product_status": { "known_affected": [ "T017057", "T016838", "67646", "T004914" ] }, "release_date": "2020-08-06T22:00:00Z", "title": "CVE-2020-12666" }, { "cve": "CVE-2020-14040", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat OpenShift. In der Bibliothek golang.org/x/text besteht in einigen Funktionen, z. B. unicode.Transform, transform.String oder transform.Byte, ein Problem mit einer Endlosschleife. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er einer entsprechenden Anwendung bestimmte Zeichen oder Zeichenfolgen bereitstellt, und dadurch einen Denial of Service verursachen." } ], "product_status": { "known_affected": [ "T017057", "T016838", "67646", "T004914" ] }, "release_date": "2020-08-06T22:00:00Z", "title": "CVE-2020-14040" }, { "cve": "CVE-2020-8203", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Red Hat OpenShift. Hierbei handelt es sich um einen Prototype pollution Schwachstelle bei der Benutzung von _.zipObjectDeep in lodash. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service oder weitere nicht definierte Auswirkungen zu erzielen." } ], "product_status": { "known_affected": [ "T017057", "T016838", "67646", "T004914" ] }, "release_date": "2020-08-06T22:00:00Z", "title": "CVE-2020-8203" } ] }
wid-sec-w-2023-3025
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-3025 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3025.json" }, { "category": "self", "summary": "WID-SEC-2023-3025 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3025" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:7637 vom 2023-12-05", "url": "https://access.redhat.com/errata/RHSA-2023:7637" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7074335" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7074317" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7070765" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7070761" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7070759" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7070755" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067719" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067717" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067714" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067704" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067700" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067682" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067630" }, { "category": "external", "summary": "IBM Security Advisory vom 2023-11-28", "url": "https://www.ibm.com/support/pages/node/7067614" } ], "source_lang": "en-US", "title": "IBM InfoSphere Information Server: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-04T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:52:43.120+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-3025", "initial_release_date": "2023-11-28T23:00:00.000+00:00", "revision_history": [ { "date": "2023-11-28T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-12-04T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM InfoSphere Information Server 11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-46174", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-46174" }, { "cve": "CVE-2023-43804", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-43804" }, { "cve": "CVE-2023-43642", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-43642" }, { "cve": "CVE-2023-43021", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-43021" }, { "cve": "CVE-2023-43015", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-43015" }, { "cve": "CVE-2023-42022", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-42022" }, { "cve": "CVE-2023-42019", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-42019" }, { "cve": "CVE-2023-42009", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-42009" }, { "cve": "CVE-2023-40699", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-40699" }, { "cve": "CVE-2023-39410", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-39410" }, { "cve": "CVE-2023-38268", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-38268" }, { "cve": "CVE-2023-34462", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2023-34462" }, { "cve": "CVE-2022-25883", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2022-25883" }, { "cve": "CVE-2021-23337", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2021-23337" }, { "cve": "CVE-2020-8203", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2020-8203" }, { "cve": "CVE-2020-28500", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese bestehen in dem Kernprodukt sowie in einigen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "67646", "444803" ] }, "release_date": "2023-11-28T23:00:00Z", "title": "CVE-2020-28500" } ] }
rhsa-2020_4298
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2023 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift Container Platform 4.6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)\n\n* grafana: XSS vulnerability via a column style on the \"Dashboard \u003e Table Panel\" screen (CVE-2018-18624)\n\n* js-jquery: prototype pollution in object\u0027s prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)\n\n* npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)\n\n* kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013)\n\n* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)\n\n* npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\n* grafana: stored XSS (CVE-2020-11110)\n\n* grafana: XSS annotation popup vulnerability (CVE-2020-12052)\n\n* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)\n\n* nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* openshift/console: text injection on error page via crafted url (CVE-2020-10715)\n\n* kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743)\n\n* openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:4298", "url": "https://access.redhat.com/errata/RHSA-2020:4298" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_4298.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.1 image security update", "tracking": { "current_release_date": "2020-10-28T00:41:00Z", "generator": { "date": "2023-07-01T04:17:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.18.0" } }, "id": "RHSA-2020:4298", "initial_release_date": "2020-10-27T16:22:00Z", "revision_history": [ { "date": "2020-10-28T00:41:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-ansible-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "product": { "name": "openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "product_id": "openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0" } }, { "category": "product_version", "name": "openshift4/ose-cli:v4.6.0-202010080605.p0", "product": { "name": "openshift4/ose-cli:v4.6.0-202010080605.p0", "product_id": "openshift4/ose-cli:v4.6.0-202010080605.p0" } }, { "category": "product_version", "name": "openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "product": { "name": "openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "product_id": "openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "product": { "name": "openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "product_id": "openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "product": { "name": "openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "product_id": "openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "product": { "name": "openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "product_id": "openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "product": { "name": "openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "product_id": "openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0" } }, { "category": "product_version", "name": "openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-console-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-console-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-console-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-console:v4.6.0-202010100121.p0", "product": { "name": "openshift4/ose-console:v4.6.0-202010100121.p0", "product_id": "openshift4/ose-console:v4.6.0-202010100121.p0" } }, { "category": "product_version", "name": "openshift4/ose-coredns:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-coredns:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-coredns:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-descheduler:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-descheduler:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-descheduler:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "product": { "name": "openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "product_id": "openshift4/ose-docker-builder:v4.6.0-202010120952.p0" } }, { "category": "product_version", "name": "openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-docker-registry:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-etcd:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-etcd:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-etcd:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-grafana:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-grafana:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-grafana:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "product": { "name": "openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "product_id": "openshift4/ose-hyperkube:v4.6.0-202010081843.p0" } }, { "category": "product_version", "name": "openshift4/ose-installer:v4.6.0-202010081843.p0", "product": { "name": "openshift4/ose-installer:v4.6.0-202010081843.p0", "product_id": "openshift4/ose-installer:v4.6.0-202010081843.p0" } }, { "category": "product_version", "name": "openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "product": { "name": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "product_id": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0" } }, { "category": "product_version", "name": "openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-multus-cni:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "product": { "name": "openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "product_id": "openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0" } }, { "category": "product_version", "name": "openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "product": { "name": "openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "product_id": "openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0" } }, { "category": "product_version", "name": "openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "product": { "name": "openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "product_id": "openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0" } }, { "category": "product_version", "name": "openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "product": { "name": "openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "product_id": "openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0" } }, { "category": "product_version", "name": "openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "product": { "name": "openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "product_id": "openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0" } }, { "category": "product_version", "name": "openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-operator-registry:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-prometheus:v4.6.0-202009290409.p0", "product": { "name": "openshift4/ose-prometheus:v4.6.0-202009290409.p0", "product_id": "openshift4/ose-prometheus:v4.6.0-202009290409.p0" } }, { "category": "product_version", "name": "openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-ptp-operator:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-ptp:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-ptp:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-ptp:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "product": { "name": "openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "product_id": "openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0" } }, { "category": "product_version", "name": "openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "product": { "name": "openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "product_id": "openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0" } }, { "category": "product_version", "name": "openshift4/ose-tests:v4.6.0-202010120952.p0", "product": { "name": "openshift4/ose-tests:v4.6.0-202010120952.p0", "product_id": "openshift4/ose-tests:v4.6.0-202010120952.p0" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-ansible-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0" }, "product_reference": "openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cli:v4.6.0-202010080605.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0" }, "product_reference": "openshift4/ose-cli:v4.6.0-202010080605.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0" }, "product_reference": "openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0" }, "product_reference": "openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0" }, "product_reference": "openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0" }, "product_reference": "openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0" }, "product_reference": "openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-console-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-console-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-console:v4.6.0-202010100121.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0" }, "product_reference": "openshift4/ose-console:v4.6.0-202010100121.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-coredns:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-coredns:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-descheduler:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-descheduler:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-docker-builder:v4.6.0-202010120952.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0" }, "product_reference": "openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-docker-registry:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-etcd:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-etcd:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-grafana:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-grafana:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-hyperkube:v4.6.0-202010081843.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0" }, "product_reference": "openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-installer:v4.6.0-202010081843.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0" }, "product_reference": "openshift4/ose-installer:v4.6.0-202010081843.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0" }, "product_reference": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-multus-cni:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0" }, "product_reference": "openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0" }, "product_reference": "openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0" }, "product_reference": "openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0" }, "product_reference": "openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0" }, "product_reference": "openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-operator-registry:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-prometheus:v4.6.0-202009290409.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" }, "product_reference": "openshift4/ose-prometheus:v4.6.0-202009290409.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-ptp-operator:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-ptp:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-ptp:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0" }, "product_reference": "openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0" }, "product_reference": "openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-tests:v4.6.0-202010120952.p0 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" }, "product_reference": "openshift4/ose-tests:v4.6.0-202010120952.p0", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2013-0169", "discovery_date": "2013-02-04T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=907589" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.", "title": "Vulnerability description" }, { "category": "summary", "text": "CBC padding timing attack (lucky-13)", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0169", "url": "https://www.cve.org/CVERecord?id=CVE-2013-0169" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0169", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0169" }, { "category": "external", "summary": "http://www.isg.rhul.ac.uk/tls/", "url": "http://www.isg.rhul.ac.uk/tls/" }, { "category": "external", "summary": "http://www.openssl.org/news/secadv_20130205.txt", "url": "http://www.openssl.org/news/secadv_20130205.txt" }, { "category": "external", "summary": "https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released", "url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released" }, { "category": "external", "summary": "CVE-2013-0169", "url": "https://access.redhat.com/security/cve/CVE-2013-0169" }, { "category": "external", "summary": "bz#907589: CBC padding timing attack (lucky-13)", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=907589" } ], "release_date": "2013-02-04T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "collateralDamagePotential": "NOT_DEFINED", "confidentialityImpact": "PARTIAL", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 0.0, "exploitability": "NOT_DEFINED", "integrityImpact": "PARTIAL", "integrityRequirement": "NOT_DEFINED", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "targetDistribution": "NOT_DEFINED", "temporalScore": 0.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2013-02-04T00:00:00Z", "details": "Moderate" } ], "title": "CBC padding timing attack (lucky-13)" }, { "cve": "CVE-2018-18624", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-24T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1850572" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS via a column style on the \"Dashboard \u003e Table Panel\" screen.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: XSS vulnerability via a column style on the \"Dashboard \u003e Table Panel\" screen", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-18624", "url": "https://www.cve.org/CVERecord?id=CVE-2018-18624" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18624", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18624" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200608-0008/", "url": "https://security.netapp.com/advisory/ntap-20200608-0008/" }, { "category": "external", "summary": "CVE-2018-18624", "url": "https://access.redhat.com/security/cve/CVE-2018-18624" }, { "category": "external", "summary": "bz#1850572: CVE-2018-18624 grafana: XSS vulnerability via a column style on the \"Dashboard \u003e Table Panel\" screen", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850572" } ], "release_date": "2020-06-02T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-24T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2018-18624 grafana: XSS vulnerability via a column style on the \"Dashboard \u003e Table Panel\" screen" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" }, { "category": "external", "summary": "CVE-2019-11358", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "bz#1701972: CVE-2019-11358 jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" } ], "release_date": "2019-03-27T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2019-03-28T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2019-11358 jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2019-16769", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-17T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1848092" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A XSS flaw was found in npm-serialize-javascript. It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js\u0027s implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16769", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16769" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16769", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16769" }, { "category": "external", "summary": "CVE-2019-16769", "url": "https://access.redhat.com/security/cve/CVE-2019-16769" }, { "category": "external", "summary": "bz#1848092: CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848092" } ], "release_date": "2020-05-04T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-17T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions" }, { "cve": "CVE-2020-7013", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)" }, "discovery_date": "2020-06-19T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1849044" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.", "title": "Vulnerability description" }, { "category": "summary", "text": "kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7013", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7013" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7013", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7013" }, { "category": "external", "summary": "https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571", "url": "https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571" }, { "category": "external", "summary": "CVE-2020-7013", "url": "https://access.redhat.com/security/cve/CVE-2020-7013" }, { "category": "external", "summary": "bz#1849044: CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849044" } ], "release_date": "2020-06-03T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-19T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)" }, { "cve": "CVE-2020-7598", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-03-11T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1813344" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a \"constructor\" or \"__proto__\" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7598", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7598" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "category": "external", "summary": "CVE-2020-7598", "url": "https://access.redhat.com/security/cve/CVE-2020-7598" }, { "category": "external", "summary": "bz#1813344: CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813344" } ], "release_date": "2020-03-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-03-11T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload" }, { "cve": "CVE-2020-7662", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-06-02T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1845982" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.", "title": "Vulnerability description" }, { "category": "summary", "text": "npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7662", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7662" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662" }, { "category": "external", "summary": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv", "url": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv" }, { "category": "external", "summary": "CVE-2020-7662", "url": "https://access.redhat.com/security/cve/CVE-2020-7662" }, { "category": "external", "summary": "bz#1845982: CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845982" } ], "release_date": "2020-06-02T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-02T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" }, { "category": "external", "summary": "CVE-2020-8203", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "bz#1857412: CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" } ], "release_date": "2020-04-27T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-07-15T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "acknowledgments": [ { "names": [ "the Kubernetes Product Security Committee" ] }, { "names": [ "Wouter ter Maat" ], "organization": "Offensi", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2020-8559", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2020-06-26T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1851422" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Kubernetes API server, where it allows an attacker to escalate their privileges from a compromised node. This flaw allows an attacker who can intercept requests on a compromised node, to redirect those requests, along with their credentials, to perform actions on other endpoints that trust those credentials (including other clusters), allowing for escalation of privileges. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "kubernetes: compromised node could escalate to cluster level privileges", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8559", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8559" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8559", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8559" }, { "category": "external", "summary": "https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs", "url": "https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs" }, { "category": "external", "summary": "CVE-2020-8559", "url": "https://access.redhat.com/security/cve/CVE-2020-8559" }, { "category": "external", "summary": "bz#1851422: CVE-2020-8559 kubernetes: compromised node could escalate to cluster level privileges", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1851422" } ], "release_date": "2020-07-15T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-26T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-8559 kubernetes: compromised node could escalate to cluster level privileges" }, { "cve": "CVE-2020-9283", "cwe": { "id": "CWE-130", "name": "Improper Handling of Length Parameter Inconsistency" }, "discovery_date": "2020-02-19T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9283" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", "url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY" }, { "category": "external", "summary": "CVE-2020-9283", "url": "https://access.redhat.com/security/cve/CVE-2020-9283" }, { "category": "external", "summary": "bz#1804533: CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" } ], "release_date": "2020-02-21T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-02-19T00:00:00Z", "details": "Important" } ], "title": "CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic" }, { "cve": "CVE-2020-10715", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-10-18T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1767665" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A content spoofing vulnerability was found in the openshift/console. This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate.", "title": "Vulnerability description" }, { "category": "summary", "text": "openshift/console: text injection on error page via crafted url", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10715", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10715" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10715", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10715" }, { "category": "external", "summary": "CVE-2020-10715", "url": "https://access.redhat.com/security/cve/CVE-2020-10715" }, { "category": "external", "summary": "bz#1767665: CVE-2020-10715 openshift/console: text injection on error page via crafted url", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767665" } ], "release_date": "2020-07-27T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0" ] } ], "threats": [ { "category": "impact", "date": "2019-10-18T00:00:00Z", "details": "Low" } ], "title": "CVE-2020-10715 openshift/console: text injection on error page via crafted url" }, { "cve": "CVE-2020-10743", "cwe": { "id": "CWE-358", "name": "Improperly Implemented Security Check for Standard" }, "discovery_date": "2020-05-05T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "It was discovered that OpenShift Container Platform\u0027s (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP\u0027s distribution of Kibana, such as clickjacking.", "title": "Vulnerability description" }, { "category": "summary", "text": "kibana: X-Frame-Option not set by default might lead to clickjacking", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10743", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10743" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10743", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10743" }, { "category": "external", "summary": "CVE-2020-10743", "url": "https://access.redhat.com/security/cve/CVE-2020-10743" }, { "category": "external", "summary": "bz#1834550: CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550" } ], "release_date": "2020-01-27T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-05-05T00:00:00Z", "details": "Low" } ], "title": "CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" }, { "category": "external", "summary": "CVE-2020-11022", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "bz#1828406: CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" } ], "release_date": "2020-04-23T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-04-23T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in jQuery. HTML containing \u003coption\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" }, { "category": "external", "summary": "CVE-2020-11023", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "bz#1850004: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" } ], "release_date": "2020-04-29T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-23T00:00:00Z", "details": "Moderate" } ], "title": "Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2020-11110", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-07-27T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1861044" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in grafana. The lack of URL sanitizing allows for stored XSS.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: stored XSS", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11110", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11110" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11110", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11110" }, { "category": "external", "summary": "CVE-2020-11110", "url": "https://access.redhat.com/security/cve/CVE-2020-11110" }, { "category": "external", "summary": "bz#1861044: CVE-2020-11110 grafana: stored XSS", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1861044" } ], "release_date": "2020-04-01T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-07-27T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-11110 grafana: stored XSS" }, { "cve": "CVE-2020-12052", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-17T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1848089" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in grafana. The software is vulnerable to an annotation popup XSS.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: XSS annotation popup vulnerability", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-12052", "url": "https://www.cve.org/CVERecord?id=CVE-2020-12052" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12052", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12052" }, { "category": "external", "summary": "CVE-2020-12052", "url": "https://access.redhat.com/security/cve/CVE-2020-12052" }, { "category": "external", "summary": "bz#1848089: CVE-2020-12052 grafana: XSS annotation popup vulnerability", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848089" } ], "release_date": "2020-04-27T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-17T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-12052 grafana: XSS annotation popup vulnerability" }, { "cve": "CVE-2020-12245", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-25T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1848643" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in grafana. A XSS is possible in table-panel via column.title or cellLinkTooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: XSS via column.title or cellLinkTooltip", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-12245", "url": "https://www.cve.org/CVERecord?id=CVE-2020-12245" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12245", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12245" }, { "category": "external", "summary": "CVE-2020-12245", "url": "https://access.redhat.com/security/cve/CVE-2020-12245" }, { "category": "external", "summary": "bz#1848643: CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848643" } ], "release_date": "2020-04-23T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-04-25T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip" }, { "cve": "CVE-2020-13822", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "discovery_date": "2020-06-04T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1848647" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "The Elliptic for Node.js allows ECDSA signature malleability via variations in encoding, leading \u0027\\0\u0027 bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13822", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13822" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13822", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13822" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484", "url": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484" }, { "category": "external", "summary": "CVE-2020-13822", "url": "https://access.redhat.com/security/cve/CVE-2020-13822" }, { "category": "external", "summary": "bz#1848647: CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848647" } ], "release_date": "2020-06-01T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-04T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures" }, { "cve": "CVE-2020-14040", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" }, "discovery_date": "2020-06-17T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040" }, { "category": "external", "summary": "https://github.com/golang/go/issues/39491", "url": "https://github.com/golang/go/issues/39491" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0", "url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0" }, { "category": "external", "summary": "CVE-2020-14040", "url": "https://access.redhat.com/security/cve/CVE-2020-14040" }, { "category": "external", "summary": "bz#1853652: CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652" } ], "release_date": "2020-06-17T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-17T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash" }, { "acknowledgments": [ { "names": [ "Yuval Kashtan" ], "organization": "Red Hat", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2020-14336", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2020-06-25T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "openshift: restricted SCC allows pods to craft custom network packets", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14336", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14336" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14336", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14336" }, { "category": "external", "summary": "CVE-2020-14336", "url": "https://access.redhat.com/security/cve/CVE-2020-14336" }, { "category": "external", "summary": "bz#1858981: CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981" } ], "release_date": "2020-07-13T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-06-25T00:00:00Z", "details": "Low" } ], "title": "CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets" }, { "cve": "CVE-2020-15366", "cwe": { "id": "CWE-471", "name": "Modification of Assumed-Immutable Data (MAID)" }, "discovery_date": "2020-07-15T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-ansible-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-aws-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-azure-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-machine-controllers:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-baremetal-runtimecfg-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cli-artifacts:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cli:v4.6.0-202010080605.p0", "8Base-RHOSE-4.6:openshift4/ose-cloud-credential-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-authentication-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-autoscaler:v4.6.0-202009291152.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-capacity:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-config-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-dns-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-etcd-rhel8-operator:v4.6.0-202010062159.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-image-registry-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-apiserver-operator:v4.6.0-202010090300.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-controller-manager-operator:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-descheduler-rhel8-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-scheduler-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-kube-storage-version-migrator-rhel8-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-machine-approver:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-apiserver-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-openshift-controller-manager-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-policy-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-samples-operator:v4.6.0-202009290409.p0", "8Base-RHOSE-4.6:openshift4/ose-cluster-storage-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-console-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-coredns:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-attacher:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-resizer:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-external-snapshotter:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-livenessprobe:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-node-driver-registrar:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-csi-snapshot-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-descheduler:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-builder:v4.6.0-202010120952.p0", "8Base-RHOSE-4.6:openshift4/ose-docker-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-etcd:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-gcp-machine-controllers-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-grafana:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-hyperkube:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-installer:v4.6.0-202010081843.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-kube-storage-version-migrator-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-diskmaker:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-local-storage-static-provisioner:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "8Base-RHOSE-4.6:openshift4/ose-mdns-publisher-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-metering-reporting-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-admission-controller:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-cni:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-route-override-cni-rhel8:v4.6.0-202010012244.p0", "8Base-RHOSE-4.6:openshift4/ose-multus-whereabouts-ipam-cni-rhel8:v4.6.0-202010011936.p0", "8Base-RHOSE-4.6:openshift4/ose-network-metrics-daemon-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-oauth-proxy:v4.6.0-202010010929.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-apiserver-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-openshift-controller-manager-rhel8:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-lifecycle-manager:v4.6.0-202010130555.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-marketplace:v4.6.0-202010081538.p0", "8Base-RHOSE-4.6:openshift4/ose-operator-registry:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp-operator:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-ptp:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-service-ca-operator:v4.6.0-202010061132.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-dp-admission-controller:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-config-daemon:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-device-plugin:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-sriov-network-webhook:v4.6.0-202010200139.p0", "8Base-RHOSE-4.6:openshift4/ose-tests:v4.6.0-202010120952.p0" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-15366", "url": "https://www.cve.org/CVERecord?id=CVE-2020-15366" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-AJV-584908", "url": "https://snyk.io/vuln/SNYK-JS-AJV-584908" }, { "category": "external", "summary": "CVE-2020-15366", "url": "https://access.redhat.com/security/cve/CVE-2020-15366" }, { "category": "external", "summary": "bz#1857977: CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" } ], "release_date": "2020-07-04T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ], "url": "https://access.redhat.com/errata/RHSA-2020:4298" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-console:v4.6.0-202010100121.p0", "8Base-RHOSE-4.6:openshift4/ose-prometheus:v4.6.0-202009290409.p0" ] } ], "threats": [ { "category": "impact", "date": "2020-07-15T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function" } ] }
rhsa-2020_5179
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Virtualization Engine 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The org.ovirt.engine-root is a core component of oVirt.\n\nThe following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)\n\nSecurity Fix(es):\n\n* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)\n\n* Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)\n\n* If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)\n\n* Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)\n\n* [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)\n\n* enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)\n\n* NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)\n\n* Adding quota to group doesn\u0027t propagate to users (BZ#1822372)\n\n* Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)\n\n* Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)\n\n* RHV-M shows successful operation if OVA export/import failed during \"qemu-img convert\" phase (BZ#1854888)\n\n* Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)\n\n* rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)\n\n* RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)\n\n* Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)\n\n* HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)\n\n* [CNV\u0026RHV]Notification about VM creation contain \u003cUNKNOWN\u003e string (BZ#1873136)\n\n* VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)\n\n* Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)\n\n* unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)\n\n* [CNV\u0026RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)\n\n* Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)\n\n* [CNV\u0026RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)\n\n* Require ansible-2.9.14 in ovirt-engine (BZ#1888626)\n\nEnhancement(s):\n\n* [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)\n\n* [RFE] - enable renaming HostedEngine VM name (BZ#1657294)\n\n* [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)\n\n* [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)\n\n* [RFE] RHV-M Deployment/Install Needs it\u0027s own UUID (BZ#1825020)\n\n* [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)\n\n* [RFE] Expose the \"reinstallation required\" flag of the hosts in the API (BZ#1856671)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:5179", "url": "https://access.redhat.com/errata/RHSA-2020:5179" }, { "category": "external", "summary": "1866981", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866981" }, { "category": "external", "summary": "1870133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870133" }, { "category": "external", "summary": "1871694", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871694" }, { "category": "external", "summary": "1872911", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1872911" }, { "category": "external", "summary": "1873136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873136" }, { "category": "external", "summary": "1876923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1876923" }, { "category": "external", "summary": "1877632", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877632" }, { "category": "external", "summary": "1877679", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877679" }, { "category": "external", "summary": "1879199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879199" }, { "category": "external", "summary": "1879280", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879280" }, { "category": "external", "summary": "1879377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879377" }, { "category": "external", "summary": "1881634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881634" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1883844", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883844" }, { "category": "external", "summary": "1884146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1884146" }, { "category": "external", "summary": "1884634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1884634" }, { "category": "external", "summary": "1885976", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885976" }, { "category": "external", "summary": "1887268", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887268" }, { "category": "external", "summary": "1888626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888626" }, { "category": "external", "summary": "1889522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889522" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "1613514", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613514" }, { "category": "external", "summary": "1657294", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1657294" }, { "category": "external", "summary": "1691253", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1691253" }, { "category": "external", "summary": "1702016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702016" }, { "category": "external", "summary": "1752751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752751" }, { "category": "external", "summary": "1760170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1760170" }, { "category": "external", "summary": "1797717", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797717" }, { "category": "external", "summary": "1808320", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1808320" }, { "category": "external", "summary": "1811466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811466" }, { "category": "external", "summary": "1812316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812316" }, { "category": "external", "summary": "1822372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1822372" }, { "category": "external", "summary": "1825020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1825020" }, { "category": "external", "summary": "1828241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828241" }, { "category": "external", "summary": "1829691", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829691" }, { "category": "external", "summary": "1842344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842344" }, { "category": "external", "summary": "1845432", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845432" }, { "category": "external", "summary": "1851865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1851865" }, { "category": "external", "summary": "1854888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854888" }, { "category": "external", "summary": "1855305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855305" }, { "category": "external", "summary": "1856671", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856671" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1862101", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1862101" }, { "category": "external", "summary": "1859314", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859314" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_5179.json" } ], "title": "Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-09-14T00:41:23+00:00", "generator": { "date": "2024-09-14T00:41:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2020:5179", "initial_release_date": "2020-11-24T13:10:41+00:00", "revision_history": [ { "date": "2020-11-24T13:10:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-11-24T13:10:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-14T00:41:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product": { "name": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product_id": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/engine-db-query@1.6.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product_id": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-logger-log4j@1.1.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product_id": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product_id": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.6-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product_id": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-grafana-integration-setup@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-setup@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product_id": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap-setup@1.4.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product_id": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-metrics@1.4.2.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.3.8-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "engine-db-query-0:1.6.2-1.el8ev.src", "product": { "name": "engine-db-query-0:1.6.2-1.el8ev.src", "product_id": "engine-db-query-0:1.6.2-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/engine-db-query@1.6.2-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product_id": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-logger-log4j@1.1.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product_id": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product_id": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.6-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product_id": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product_id": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.3.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product_id": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.2-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product_id": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-metrics@1.4.2.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.3.8-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "engine-db-query-0:1.6.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch" }, "product_reference": "engine-db-query-0:1.6.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "engine-db-query-0:1.6.2-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src" }, "product_reference": "engine-db-query-0:1.6.2-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src" }, "product_reference": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src" }, "product_reference": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src" }, "product_reference": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch" }, "product_reference": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src" }, "product_reference": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch" }, "product_reference": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" }, "product_reference": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" } ] }
rhsa-2020_3369
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for OpenShift Service Mesh 1.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\n* macaron: open redirect in the static handler (CVE-2020-12666)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:3369", "url": "https://access.redhat.com/errata/RHSA-2020:3369" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1804533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "1850034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034" }, { "category": "external", "summary": "1853652", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_3369.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update", "tracking": { "current_release_date": "2024-09-18T04:26:05+00:00", "generator": { "date": "2024-09-18T04:26:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2020:3369", "initial_release_date": "2020-08-06T20:19:17+00:00", "revision_history": [ { "date": "2020-08-06T20:19:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-08-06T20:19:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-18T04:26:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Service Mesh 1.1", "product": { "name": "OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_mesh:1.1::el8" } } }, { "category": "product_name", "name": "Red Hat OpenShift Service Mesh 1.1", "product": { "name": "Red Hat OpenShift Service Mesh 1.1", "product_id": "7Server-RH7-RHOSSM-1.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_mesh:1.1::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Service Mesh" }, { "branches": [ { "category": "product_version", "name": "ior-0:1.1.6-1.el8.x86_64", "product": { "name": "ior-0:1.1.6-1.el8.x86_64", "product_id": "ior-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-citadel-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-citadel@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-galley-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-galley-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-galley-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-galley@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-istioctl@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-mixc-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-mixc@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-mixs-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-mixs@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-pilot-agent@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-sidecar-injector@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "product": { "name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "product_id": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64", "product": { "name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64", "product_id": "servicemesh-grafana-0:6.4.3-13.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "product": { "name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "product_id": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-grafana-prometheus@6.4.3-13.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-cni-0:1.1.6-1.el8.x86_64", "product": { "name": "servicemesh-cni-0:1.1.6-1.el8.x86_64", "product_id": "servicemesh-cni-0:1.1.6-1.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=x86_64" } } }, { "category": "product_version", "name": "servicemesh-operator-0:1.1.6-2.el8.x86_64", "product": { "name": "servicemesh-operator-0:1.1.6-2.el8.x86_64", "product_id": "servicemesh-operator-0:1.1.6-2.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=x86_64" } } }, { "category": "product_version", "name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64", "product": { "name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64", "product_id": "kiali-0:v1.12.10.redhat2-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "ior-0:1.1.6-1.el8.src", "product": { "name": "ior-0:1.1.6-1.el8.src", "product_id": "ior-0:1.1.6-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=src" } } }, { "category": "product_version", "name": "servicemesh-0:1.1.6-1.el8.src", "product": { "name": "servicemesh-0:1.1.6-1.el8.src", "product_id": "servicemesh-0:1.1.6-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=src" } } }, { "category": "product_version", "name": "servicemesh-prometheus-0:2.14.0-14.el8.src", "product": { "name": "servicemesh-prometheus-0:2.14.0-14.el8.src", "product_id": "servicemesh-prometheus-0:2.14.0-14.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=src" } } }, { "category": "product_version", "name": "servicemesh-grafana-0:6.4.3-13.el8.src", "product": { "name": "servicemesh-grafana-0:6.4.3-13.el8.src", "product_id": "servicemesh-grafana-0:6.4.3-13.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=src" } } }, { "category": "product_version", "name": "servicemesh-cni-0:1.1.6-1.el8.src", "product": { "name": "servicemesh-cni-0:1.1.6-1.el8.src", "product_id": "servicemesh-cni-0:1.1.6-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=src" } } }, { "category": "product_version", "name": "servicemesh-operator-0:1.1.6-2.el8.src", "product": { "name": "servicemesh-operator-0:1.1.6-2.el8.src", "product_id": "servicemesh-operator-0:1.1.6-2.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=src" } } }, { "category": "product_version", "name": "kiali-0:v1.12.10.redhat2-1.el7.src", "product": { "name": "kiali-0:v1.12.10.redhat2-1.el7.src", "product_id": "kiali-0:v1.12.10.redhat2-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "kiali-0:v1.12.10.redhat2-1.el7.src as a component of Red Hat OpenShift Service Mesh 1.1", "product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src" }, "product_reference": "kiali-0:v1.12.10.redhat2-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64 as a component of Red Hat OpenShift Service Mesh 1.1", "product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64" }, "product_reference": "kiali-0:v1.12.10.redhat2-1.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "ior-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src" }, "product_reference": "ior-0:1.1.6-1.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "ior-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64" }, "product_reference": "ior-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src" }, "product_reference": "servicemesh-0:1.1.6-1.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-citadel-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-cni-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src" }, "product_reference": "servicemesh-cni-0:1.1.6-1.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-cni-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-cni-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-galley-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-galley-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-grafana-0:6.4.3-13.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src" }, "product_reference": "servicemesh-grafana-0:6.4.3-13.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64" }, "product_reference": "servicemesh-grafana-0:6.4.3-13.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64" }, "product_reference": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-mixc-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-mixs-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-operator-0:1.1.6-2.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src" }, "product_reference": "servicemesh-operator-0:1.1.6-2.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-operator-0:1.1.6-2.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64" }, "product_reference": "servicemesh-operator-0:1.1.6-2.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-prometheus-0:2.14.0-14.el8.src as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src" }, "product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.src", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64" }, "product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" }, { "category": "default_component_of", "full_product_name": { "name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1", "product_id": "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" }, "product_reference": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64", "relates_to_product_reference": "8Base-OSSM-1.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3369" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "cve": "CVE-2020-9283", "cwe": { "id": "CWE-130", "name": "Improper Handling of Length Parameter Inconsistency" }, "discovery_date": "2020-02-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1804533" } ], "notes": [ { "category": "description", "text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9283" }, { "category": "external", "summary": "RHBZ#1804533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9283" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", "url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY" } ], "release_date": "2020-02-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3369" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3369" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2020-12666", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850034" } ], "notes": [ { "category": "description", "text": "A flaw was found in macaron. Path URLs aren\u0027t cleaned before being redirected creating an open redirect in the static handler.", "title": "Vulnerability description" }, { "category": "summary", "text": "macaron: open redirect in the static handler", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.\n\nRed Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-12666" }, { "category": "external", "summary": "RHBZ#1850034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-12666", "url": "https://www.cve.org/CVERecord?id=CVE-2020-12666" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666" } ], "release_date": "2020-05-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3369" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "macaron: open redirect in the static handler" }, { "cve": "CVE-2020-14040", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" }, "discovery_date": "2020-06-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1853652" } ], "notes": [ { "category": "description", "text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash", "title": "Vulnerability summary" }, { "category": "other", "text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14040" }, { "category": "external", "summary": "RHBZ#1853652", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040" }, { "category": "external", "summary": "https://github.com/golang/go/issues/39491", "url": "https://github.com/golang/go/issues/39491" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0", "url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0" } ], "release_date": "2020-06-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3369" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src", "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src", "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src", "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64", "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src", "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src", "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64", "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash" } ] }
rhsa-2020_5611
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for cockpit-ovirt, redhat-release-virtualization-host, redhat-virtualization-host, and v2v-conversion-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks. \n\nThe ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: cockpit-ovirt (0.14.15), redhat-release-virtualization-host (4.4.3), redhat-virtualization-host (4.4.3), v2v-conversion-host (1.16.2). (BZ#1898023, BZ#1902301, BZ#1907539)\n\nSecurity Fix(es):\n\n* lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c (CVE-2015-8011)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, upgrade from Red Had Virtualization (RHV) 4.4.1 to RHV 4.4.2 failed due to dangling symlinks from the iSCSI Storage Domain that weren\u0027t cleaned up. In this release, the upgrade succeeds. (BZ#1895356)\n\n* Previously, when migrating a Windows virtual machine from a VMware environment to Red Hat Virtualization 4.4.3, the migration failed due to a file permission error. In this release, the migration succeeds. (BZ#1901423)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:5611", "url": "https://access.redhat.com/errata/RHSA-2020:5611" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1835685", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835685" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1895356", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895356" }, { "category": "external", "summary": "1895762", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895762" }, { "category": "external", "summary": "1896536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1896536" }, { "category": "external", "summary": "1898023", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1898023" }, { "category": "external", "summary": "1898024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1898024" }, { "category": "external", "summary": "1901423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901423" }, { "category": "external", "summary": "1902301", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902301" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_5611.json" } ], "title": "Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-09-14T00:41:42+00:00", "generator": { "date": "2024-09-14T00:41:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2020:5611", "initial_release_date": "2020-12-17T09:02:04+00:00", "revision_history": [ { "date": "2020-12-17T09:02:04+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-12-17T09:02:04+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-14T00:41:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product": { "name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8" } } }, { "category": "product_name", "name": "RHEL 8-based RHEV-H for RHEV 4 (build requirements)", "product": { "name": "RHEL 8-based RHEV-H for RHEV 4 (build requirements)", "product_id": "8Base-RHV-HypervisorBuild-4", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8" } } }, { "category": "product_name", "name": "Red Hat Virtualization 4 Hypervisor for RHEL 8", "product": { "name": "Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "cockpit-ovirt-0:0.14.15-1.el8ev.src", "product": { "name": "cockpit-ovirt-0:0.14.15-1.el8ev.src", "product_id": "cockpit-ovirt-0:0.14.15-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cockpit-ovirt@0.14.15-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "product": { "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "product_id": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.4.3-2.el8ev?arch=src" } } }, { "category": "product_version", "name": "v2v-conversion-host-0:1.16.2-8.el8ev.src", "product": { "name": "v2v-conversion-host-0:1.16.2-8.el8ev.src", "product_id": "v2v-conversion-host-0:1.16.2-8.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/v2v-conversion-host@1.16.2-8.el8ev?arch=src" } } }, { "category": "product_version", "name": "redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "product": { "name": "redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "product_id": "redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/redhat-virtualization-host@4.4.3-20201210.0.el8_3?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "product": { "name": "cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "product_id": "cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/cockpit-ovirt-dashboard@0.14.15-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch", "product": { "name": "redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch", "product_id": "redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update-placeholder@4.4.3-2.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "product": { "name": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "product_id": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/v2v-conversion-host-wrapper@1.16.2-8.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "product": { "name": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "product_id": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/v2v-conversion-host-ansible@1.16.2-8.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "product": { "name": "redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "product_id": "redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update@4.4.3-20201210.0.el8_3?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "product": { "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "product_id": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.4.3-2.el8ev?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cockpit-ovirt-0:0.14.15-1.el8ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src" }, "product_reference": "cockpit-ovirt-0:0.14.15-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-Agents-4" }, { "category": "default_component_of", "full_product_name": { "name": "cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch" }, "product_reference": "cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-Agents-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-0:1.16.2-8.el8ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src" }, "product_reference": "v2v-conversion-host-0:1.16.2-8.el8ev.src", "relates_to_product_reference": "8Base-RHV-Agents-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch" }, "product_reference": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-Agents-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", "product_id": "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch" }, "product_reference": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-Agents-4" }, { "category": "default_component_of", "full_product_name": { "name": "redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src" }, "product_reference": "redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "relates_to_product_reference": "8Base-RHV-Hypervisor-4" }, { "category": "default_component_of", "full_product_name": { "name": "redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch" }, "product_reference": "redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "relates_to_product_reference": "8Base-RHV-Hypervisor-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-0:1.16.2-8.el8ev.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src" }, "product_reference": "v2v-conversion-host-0:1.16.2-8.el8ev.src", "relates_to_product_reference": "8Base-RHV-Hypervisor-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch" }, "product_reference": "v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-Hypervisor-4" }, { "category": "default_component_of", "full_product_name": { "name": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8", "product_id": "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch" }, "product_reference": "v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-Hypervisor-4" }, { "category": "default_component_of", "full_product_name": { "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.src as a component of RHEL 8-based RHEV-H for RHEV 4 (build requirements)", "product_id": "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src" }, "product_reference": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "relates_to_product_reference": "8Base-RHV-HypervisorBuild-4" }, { "category": "default_component_of", "full_product_name": { "name": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64 as a component of RHEL 8-based RHEV-H for RHEV 4 (build requirements)", "product_id": "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64" }, "product_reference": "redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "relates_to_product_reference": "8Base-RHV-HypervisorBuild-4" }, { "category": "default_component_of", "full_product_name": { "name": "redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch as a component of RHEL 8-based RHEV-H for RHEV 4 (build requirements)", "product_id": "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" }, "product_reference": "redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-HypervisorBuild-4" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-8011", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "discovery_date": "2020-01-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1896536" } ], "notes": [ { "category": "description", "text": "A buffer overflow was found in the lldp_decode function in daemon/protocols/lldp.c in lldpd. This flaw allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries. This threatens the system\u0027s confidentiality, integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c", "title": "Vulnerability summary" }, { "category": "other", "text": "The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+. In addition, Red Hat Virtualization 4.3 manager appliance is out of support scope and therefore no fix for it will be delivered.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch" ], "known_not_affected": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2015-8011" }, { "category": "external", "summary": "RHBZ#1896536", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1896536" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2015-8011", "url": "https://www.cve.org/CVERecord?id=CVE-2015-8011" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-8011", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8011" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2015/10/16/2", "url": "http://www.openwall.com/lists/oss-security/2015/10/16/2" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2015/10/30/2", "url": "http://www.openwall.com/lists/oss-security/2015/10/30/2" } ], "release_date": "2015-10-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5611" }, { "category": "workaround", "details": "When the lldpd source is compiled with source fortification enabled, the flaw becomes unexploitable and will just cause a crash.", "product_ids": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-Agents-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Agents-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Agents-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-0:4.4.3-20201210.0.el8_3.src", "8Base-RHV-Hypervisor-4:redhat-virtualization-host-image-update-0:4.4.3-20201210.0.el8_3.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-0:1.16.2-8.el8ev.src", "8Base-RHV-Hypervisor-4:v2v-conversion-host-ansible-0:1.16.2-8.el8ev.noarch", "8Base-RHV-Hypervisor-4:v2v-conversion-host-wrapper-0:1.16.2-8.el8ev.noarch", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.src", "8Base-RHV-HypervisorBuild-4:redhat-release-virtualization-host-0:4.4.3-2.el8ev.x86_64", "8Base-RHV-HypervisorBuild-4:redhat-virtualization-host-image-update-placeholder-0:4.4.3-2.el8ev.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5611" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-Agents-4:cockpit-ovirt-0:0.14.15-1.el8ev.src", "8Base-RHV-Agents-4:cockpit-ovirt-dashboard-0:0.14.15-1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" } ] }
rhsa-2020_3370
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Jaeger-1.17.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Jaeger is Red Hat\u0027s distribution of the Jaeger project,\ntailored for installation into an on-premise OpenShift Container Platform\ninstallation.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:3370", "url": "https://access.redhat.com/errata/RHSA-2020:3370" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "1804533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_3370.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Jaeger 1.17.6 container images security update", "tracking": { "current_release_date": "2024-09-18T04:14:19+00:00", "generator": { "date": "2024-09-18T04:14:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2020:3370", "initial_release_date": "2020-08-06T20:16:01+00:00", "revision_history": [ { "date": "2020-08-06T20:16:01+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-08-06T20:16:01+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-18T04:14:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Jaeger 1.17", "product": { "name": "Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17", "product_identification_helper": { "cpe": "cpe:/a:redhat:jaeger:1.17::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Jaeger" }, { "branches": [ { "category": "product_version", "name": "distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "product": { "name": "distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "product_id": "distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-agent-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "product": { "name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "product_id": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "product": { "name": "distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "product_id": "distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-collector-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "product": { "name": "distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "product_id": "distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-es-index-cleaner-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "product": { "name": "distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "product_id": "distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-es-rollover-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "product": { "name": "distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "product_id": "distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "product": { "name": "distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "product_id": "distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-query-rhel7\u0026tag=1.17.6-1" } } }, { "category": "product_version", "name": "distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64", "product": { "name": "distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64", "product_id": "distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64", "product_identification_helper": { "purl": "pkg:oci/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-rhel7-operator\u0026tag=1.17.6-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64" }, "product_reference": "distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64" }, "product_reference": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64" }, "product_reference": "distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64" }, "product_reference": "distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64" }, "product_reference": "distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64" }, "product_reference": "distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64" }, "product_reference": "distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" }, { "category": "default_component_of", "full_product_name": { "name": "distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64 as a component of Red Hat OpenShift Jaeger 1.17", "product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" }, "product_reference": "distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64", "relates_to_product_reference": "7Server-RH7-JAEGER-1.17" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://docs.openshift.com/container-platform/4.5/jaeger/jaeger_install/rhbjaeger-updating.html", "product_ids": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3370" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "cve": "CVE-2020-9283", "cwe": { "id": "CWE-130", "name": "Improper Handling of Length Parameter Inconsistency" }, "discovery_date": "2020-02-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1804533" } ], "notes": [ { "category": "description", "text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9283" }, { "category": "external", "summary": "RHBZ#1804533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9283" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", "url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY" } ], "release_date": "2020-02-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://docs.openshift.com/container-platform/4.5/jaeger/jaeger_install/rhbjaeger-updating.html", "product_ids": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3370" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:abad0b25b8d40fae71970c581029afc128d9a8ab2439d560d0b715c3ec287e14_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:2e3f471079a34e9c497045a4c1f805c648cac28bd550b91471c7fb6c7d7b9774_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:5acdc905cdf19b06463eca5f7a3e9260e8618c644bbc43e925f003296cb7bdf6_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-index-cleaner-rhel7@sha256:8f0893cad468eaae61081b5b9d78fe512877bb1e1922dd5fff00df45731b79a2_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-es-rollover-rhel7@sha256:a2c413202eb52d172dc15722c20cc0e29ae5276f0ba1eefd1d62f05c2b86915b_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:66f850d0de9ab915e5b9683fc6e82a3426df41b8c308972e81fefae00eb3a8d9_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2fe0840c5c88f0c7f01415e5661d8a32450a827cac555f93accf779d0ededb29_amd64", "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:e561e5ad5940ecaac80ec803843329166b44dcf27d713e6259114a01d61b66f5_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic" } ] }
rhsa-2021_3917
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Quay 3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Quay 3.6.0 release\n\nSecurity Fix(es):\n\n* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)\n\n* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)\n\n* nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)\n\n* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)\n\n* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)\n\n* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)\n\n* nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)\n\n* nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)\n\n* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)\n\n* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)\n\n* python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)\n\n* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)\n\n* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)\n\n* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)\n\n* python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)\n\n* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)\n\n* python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)\n\n* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)\n\n* nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)\n\n* python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)\n\n* python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)\n\n* python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)\n\n* python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)\n\n* nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)\n\n* lodash: Prototype pollution in utilities function (CVE-2018-3721)\n\n* hoek: Prototype pollution in utilities function (CVE-2018-3728)\n\n* lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)\n\n* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)\n\n* python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:3917", "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1500700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500700" }, { "category": "external", "summary": "1500705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500705" }, { "category": "external", "summary": "1545884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545884" }, { "category": "external", "summary": "1545893", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545893" }, { "category": "external", "summary": "1546357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1546357" }, { "category": "external", "summary": "1547272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547272" }, { "category": "external", "summary": "1608140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608140" }, { "category": "external", "summary": "1743096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743096" }, { "category": "external", "summary": "1840004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1840004" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1857977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1901662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901662" }, { "category": "external", "summary": "1915257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915257" }, { "category": "external", "summary": "1915420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915420" }, { "category": "external", "summary": "1915424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915424" }, { "category": "external", "summary": "1927293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927293" }, { "category": "external", "summary": "1934470", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934470" }, { "category": "external", "summary": "1934474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934474" }, { "category": "external", "summary": "1934680", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934680" }, { "category": "external", "summary": "1934685", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934685" }, { "category": "external", "summary": "1934692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934692" }, { "category": "external", "summary": "1934699", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934699" }, { "category": "external", "summary": "1934705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934705" }, { "category": "external", "summary": "1935384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935384" }, { "category": "external", "summary": "1935396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935396" }, { "category": "external", "summary": "1935401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935401" }, { "category": "external", "summary": "1940759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940759" }, { "category": "external", "summary": "1948763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948763" }, { "category": "external", "summary": "1954150", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954150" }, { "category": "external", "summary": "1955619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955619" }, { "category": "external", "summary": "1982378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1982378" }, { "category": "external", "summary": "PROJQUAY-1417", "url": "https://issues.redhat.com/browse/PROJQUAY-1417" }, { "category": "external", "summary": "PROJQUAY-1449", "url": "https://issues.redhat.com/browse/PROJQUAY-1449" }, { "category": "external", "summary": "PROJQUAY-1535", "url": "https://issues.redhat.com/browse/PROJQUAY-1535" }, { "category": "external", "summary": "PROJQUAY-1583", "url": "https://issues.redhat.com/browse/PROJQUAY-1583" }, { "category": "external", "summary": "PROJQUAY-1609", "url": "https://issues.redhat.com/browse/PROJQUAY-1609" }, { "category": "external", "summary": "PROJQUAY-1610", "url": "https://issues.redhat.com/browse/PROJQUAY-1610" }, { "category": "external", "summary": "PROJQUAY-1791", "url": "https://issues.redhat.com/browse/PROJQUAY-1791" }, { "category": "external", "summary": "PROJQUAY-1883", "url": "https://issues.redhat.com/browse/PROJQUAY-1883" }, { "category": "external", "summary": "PROJQUAY-1887", "url": "https://issues.redhat.com/browse/PROJQUAY-1887" }, { "category": "external", "summary": "PROJQUAY-1926", "url": "https://issues.redhat.com/browse/PROJQUAY-1926" }, { "category": "external", "summary": "PROJQUAY-1998", "url": "https://issues.redhat.com/browse/PROJQUAY-1998" }, { "category": "external", "summary": "PROJQUAY-2050", "url": "https://issues.redhat.com/browse/PROJQUAY-2050" }, { "category": "external", "summary": "PROJQUAY-2100", "url": "https://issues.redhat.com/browse/PROJQUAY-2100" }, { "category": "external", "summary": "PROJQUAY-2102", "url": "https://issues.redhat.com/browse/PROJQUAY-2102" }, { "category": "external", "summary": "PROJQUAY-672", "url": "https://issues.redhat.com/browse/PROJQUAY-672" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_3917.json" } ], "title": "Red Hat Security Advisory: Red Hat Quay v3.6.0 security, bug fix and enhancement update", "tracking": { "current_release_date": "2024-09-14T01:23:23+00:00", "generator": { "date": "2024-09-14T01:23:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2021:3917", "initial_release_date": "2021-10-19T12:09:35+00:00", "revision_history": [ { "date": "2021-10-19T12:09:35+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-10-19T12:09:35+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-14T01:23:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Quay v3", "product": { "name": "Quay v3", "product_id": "8Base-Quay-3", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3::el8" } } } ], "category": "product_family", "name": "Red Hat Quay" }, { "branches": [ { "category": "product_version", "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product": { "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product_id": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle\u0026tag=v3.6.0-35" } } }, { "category": "product_version", "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product": { "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product_id": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8\u0026tag=v3.6.0-40" } } }, { "category": "product_version", "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product": { "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product_id": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel8\u0026tag=v3.6.0-44" } } }, { "category": "product_version", "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product": { "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product_id": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8\u0026tag=v3.6.0-45" } } }, { "category": "product_version", "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product": { "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product_id": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product_identification_helper": { "purl": "pkg:oci/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d?arch=amd64\u0026repository_url=registry.redhat.io/quay/clair-rhel8\u0026tag=v3.6.0-70" } } }, { "category": "product_version", "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product": { "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product_id": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle\u0026tag=v3.6.0-37" } } }, { "category": "product_version", "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product": { "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product_id": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8\u0026tag=v3.6.0-44" } } }, { "category": "product_version", "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product": { "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product_id": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=v3.6.0-48" } } }, { "category": "product_version", "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product": { "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product_id": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel8\u0026tag=v3.6.0-43" } } }, { "category": "product_version", "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product": { "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product_id": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8\u0026tag=v3.6.0-62" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64" }, "product_reference": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64" }, "product_reference": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64" }, "product_reference": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64" }, "product_reference": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64" }, "product_reference": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64" }, "product_reference": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64" }, "product_reference": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64" }, "product_reference": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" }, "product_reference": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" }, "product_reference": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "relates_to_product_reference": "8Base-Quay-3" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-16137", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2017-09-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1500705" } ], "notes": [ { "category": "description", "text": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-debug: Regular expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of rh-nodejs4-nodejs-debug, rh-nodejs6-nodejs-debug, and rh-nodejs8-nodejs-debug as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Virtualization 4.2 EUS includes a vulnerable version of nodejs-debug as a part of the ovirt-engine-api-explorer package. This package is removed in Red Hat Virtualization 4.3.\n\nRed Hat Quay includes the debug library as a dependency of karma-webpack. It is only used at build time, and not runtime so its impact is reduce to low in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-16137" }, { "category": "external", "summary": "RHBZ#1500705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500705" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-16137", "url": "https://www.cve.org/CVERecord?id=CVE-2017-16137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" } ], "release_date": "2017-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-debug: Regular expression Denial of Service" }, { "cve": "CVE-2017-16138", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2017-09-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1500700" } ], "notes": [ { "category": "description", "text": "The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-mime: Regular expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contained a vulnerable version of nodejs-mime in the ovirt-engine-dashboard package. This package has been removed in Red Hat Virtualization 4.2.\n\nRed Hat Quay includes mime as a dependency of Karma. It\u0027s only used at build time, not runtime so this vulnerability has a low impact of Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-16138" }, { "category": "external", "summary": "RHBZ#1500700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500700" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-16138", "url": "https://www.cve.org/CVERecord?id=CVE-2017-16138" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" }, { "category": "external", "summary": "https://nodesecurity.io/advisories/535", "url": "https://nodesecurity.io/advisories/535" } ], "release_date": "2017-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-mime: Regular expression Denial of Service" }, { "cve": "CVE-2018-1107", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-02-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1546357" } ], "notes": [ { "category": "description", "text": "It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat Quay the is-my-json-valid library is included as a build time dependency of protractor. It\u0027s only used at build time, not at runtime reducing the impact to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-1107" }, { "category": "external", "summary": "RHBZ#1546357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1546357" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1107", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1107" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1107", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1107" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:is-my-json-valid:20180214", "url": "https://snyk.io/vuln/npm:is-my-json-valid:20180214" } ], "release_date": "2018-02-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format" }, { "cve": "CVE-2018-1109", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-02-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1547272" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. The highest threat from this vulnerability is system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes braces as a dependency of webpack. Braces is only used at build time, not at runtime, reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-1109" }, { "category": "external", "summary": "RHBZ#1547272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547272" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1109", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1109" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1109", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1109" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:braces:20180219", "url": "https://snyk.io/vuln/npm:braces:20180219" } ], "release_date": "2018-02-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js" }, { "cve": "CVE-2018-3721", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1545884" } ], "notes": [ { "category": "description", "text": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "title": "Vulnerability description" }, { "category": "summary", "text": "lodash: Prototype pollution in utilities function", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms version 4.7 does not ship component lodash, so isn\u0027t affected by this flaw.\n\nRed Hat Virtualization 4.2 EUS includes a vulnerable version of lodash as part of the ovirt-engine-dashboard package. This package has been removed from Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3721" }, { "category": "external", "summary": "RHBZ#1545884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545884" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3721", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3721" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721" } ], "release_date": "2018-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "lodash: Prototype pollution in utilities function" }, { "cve": "CVE-2018-3728", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1545893" } ], "notes": [ { "category": "description", "text": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via \u0027merge\u0027 and \u0027applyToDefaults\u0027 functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "title": "Vulnerability description" }, { "category": "summary", "text": "hoek: Prototype pollution in utilities function", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes hoek as a dependency of protractor which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3728" }, { "category": "external", "summary": "RHBZ#1545893", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545893" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3728", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3728" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728" } ], "release_date": "2018-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "hoek: Prototype pollution in utilities function" }, { "cve": "CVE-2018-3774", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-08-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1940759" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-url-parse. The wrong hostname can be returned, due to incorrect parsing, which can lead to a variety of vulnerabilities. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-url-parse: incorrect hostname in url parsing", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3774" }, { "category": "external", "summary": "RHBZ#1940759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940759" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3774", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3774" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774" } ], "release_date": "2018-07-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-url-parse: incorrect hostname in url parsing" }, { "cve": "CVE-2018-16492", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-07-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1608140" } ], "notes": [ { "category": "description", "text": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-extend: Prototype pollution can allow attackers to modify object properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes \u0027extend\u0027 as a build time dependency. It\u0027s not used at runtime reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-16492" }, { "category": "external", "summary": "RHBZ#1608140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608140" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-16492", "url": "https://www.cve.org/CVERecord?id=CVE-2018-16492" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:extend:20180424", "url": "https://snyk.io/vuln/npm:extend:20180424" } ], "release_date": "2018-04-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-extend: Prototype pollution can allow attackers to modify object properties" }, { "cve": "CVE-2018-21270", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-12-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1927293" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-stringstream. Node.js stringstream module is vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay include stringstream as a dependency of Karma. Karma is only used at build time, and not at runtime reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-21270" }, { "category": "external", "summary": "RHBZ#1927293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-21270", "url": "https://www.cve.org/CVERecord?id=CVE-2018-21270" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-21270", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21270" } ], "release_date": "2020-05-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure" }, { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2019-1010266", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-07-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1743096" } ], "notes": [ { "category": "description", "text": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", "title": "Vulnerability description" }, { "category": "summary", "text": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-1010266" }, { "category": "external", "summary": "RHBZ#1743096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743096" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-1010266", "url": "https://www.cve.org/CVERecord?id=CVE-2019-1010266" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" } ], "release_date": "2019-04-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "lodash: uncontrolled resource consumption in Data handler causing denial of service" }, { "cve": "CVE-2020-7608", "cwe": { "id": "CWE-267", "name": "Privilege Defined With Unsafe Actions" }, "discovery_date": "2020-05-11T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1840004" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in nodesjs-yargs-parser, where it can be tricked into adding or modifying properties of the Object.prototype using a \"__proto__\" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-yargs-parser: prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7608" }, { "category": "external", "summary": "RHBZ#1840004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1840004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7608", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7608" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" } ], "release_date": "2020-03-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-yargs-parser: prototype pollution vulnerability" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "cve": "CVE-2020-15366", "cwe": { "id": "CWE-471", "name": "Modification of Assumed-Immutable Data (MAID)" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857977" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "title": "Vulnerability summary" }, { "category": "other", "text": "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-ajv library to authenticated users only, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-15366" }, { "category": "external", "summary": "RHBZ#1857977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-15366", "url": "https://www.cve.org/CVERecord?id=CVE-2020-15366" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-AJV-584908", "url": "https://snyk.io/vuln/SNYK-JS-AJV-584908" } ], "release_date": "2020-07-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function" }, { "cve": "CVE-2020-26237", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-11-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1901662" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-highlight-js. Highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object\u0027s prototype during highlighting.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-highlight-js: prototype pollution via a crafted HTML code block", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat Virtualization, ovirt-engine-api-explorer uses a vulnerable version of highlight.js, however since release 4.4.3 ovirt-engine-api-explorer is obsoleted and no longer used.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-26237" }, { "category": "external", "summary": "RHBZ#1901662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901662" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-26237", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26237" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-26237", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26237" }, { "category": "external", "summary": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx", "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx" } ], "release_date": "2020-11-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-highlight-js: prototype pollution via a crafted HTML code block" }, { "cve": "CVE-2020-26291", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915257" } ], "notes": [ { "category": "description", "text": "A flaw was found in urijs. The hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.", "title": "Vulnerability description" }, { "category": "summary", "text": "urijs: Hostname spoofing via backslashes in URL", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-26291" }, { "category": "external", "summary": "RHBZ#1915257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915257" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-26291", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26291" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-26291", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26291" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155", "url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/releases/tag/v1.19.4", "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg", "url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg" }, { "category": "external", "summary": "https://www.npmjs.com/package/urijs", "url": "https://www.npmjs.com/package/urijs" } ], "release_date": "2020-12-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "urijs: Hostname spoofing via backslashes in URL" }, { "cve": "CVE-2020-35653", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915420" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Buffer over-read in PCX image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-35653" }, { "category": "external", "summary": "RHBZ#1915420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915420" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-35653", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35653" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security" } ], "release_date": "2021-01-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "python-pillow: Buffer over-read in PCX image reader" }, { "cve": "CVE-2020-35654", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915424" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow", "title": "Vulnerability summary" }, { "category": "other", "text": "python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-35654" }, { "category": "external", "summary": "RHBZ#1915424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915424" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-35654", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35654" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-35654", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35654" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security" } ], "release_date": "2021-01-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow" }, { "cve": "CVE-2021-23364", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1955619" } ], "notes": [ { "category": "description", "text": "Regular Expression Denial of Service (ReDoS) vulnerability was found in browserslist library. An attacker can use this vulnerability to parse a query which potentially can lead to service degradation.", "title": "Vulnerability description" }, { "category": "summary", "text": "browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)", "title": "Vulnerability summary" }, { "category": "other", "text": "While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. \nThis applies to the following products:\n - OpenShift Container Platform (OCP)\n - OpenShift ServiceMesh (OSSM)\n - Red Hat Advanced Cluster Management for Kubernetes (RHACM)\n\nIn Red Had Quay , whilst a vulnerable version of `browserslist` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23364" }, { "category": "external", "summary": "RHBZ#1955619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23364", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23364" } ], "release_date": "2021-04-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)" }, { "cve": "CVE-2021-23368", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1948763" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss`. When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take an ever increasing amount of time to process. An attacker can use this vulnerability to potentially craft a malicious a long CSS value to process resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-postcss: Regular expression denial of service during source map parsing", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.\n\nIn Red Hat Virtualization a vulnerable version of postcss is used in cockpit-ovirt, ovirt-web-ui and ovirt-engine-ui-extensions. However, it is only used during development and is used to process known CSS content. This flaw has been marked as \"wontfix\" and it may be addressed in future updates.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23368" }, { "category": "external", "summary": "RHBZ#1948763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948763" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23368", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23368" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23368", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23368" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-postcss: Regular expression denial of service during source map parsing" }, { "cve": "CVE-2021-23382", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1954150" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss` when using getAnnotationURL() or loadAnnotation() options in lib/previous-map.js. An attacker can use this vulnerability to potentially craft a malicious CSS to process resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23382" }, { "category": "external", "summary": "RHBZ#1954150", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954150" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23382", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23382" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23382", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23382" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640", "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640" } ], "release_date": "2021-04-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js" }, { "cve": "CVE-2021-25289", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934680" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c", "title": "Vulnerability summary" }, { "category": "other", "text": "python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25289" }, { "category": "external", "summary": "RHBZ#1934680", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934680" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25289", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25289" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25289", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25289" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c" }, { "cve": "CVE-2021-25290", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934685" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. In TiffDecode.c, there is a negative-offset memcpy with an invalid size which could lead to a system crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Negative-offset memcpy in TIFF image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25290" }, { "category": "external", "summary": "RHBZ#1934685", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934685" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25290", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25290" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25290" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Negative-offset memcpy in TIFF image reader" }, { "cve": "CVE-2021-25291", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934692" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile in TiffDecode.c.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does not affect the versions of python-pillow as shipped with Red Hat Enterprise Linux 8 as it does not include the vulnerable code, which was introduced in a newer upstream version than what what shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25291" }, { "category": "external", "summary": "RHBZ#1934692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934692" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25291", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25291" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25291", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25291" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c" }, { "cve": "CVE-2021-25292", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934699" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Regular expression DoS in PDF format parser", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25292" }, { "category": "external", "summary": "RHBZ#1934699", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934699" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25292", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25292" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25292" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Regular expression DoS in PDF format parser" }, { "cve": "CVE-2021-25293", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934705" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. There is an Out of Bounds Read in SGIRleDecode.c.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Out-of-bounds read in SGI RLE image reader", "title": "Vulnerability summary" }, { "category": "other", "text": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25293" }, { "category": "external", "summary": "RHBZ#1934705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934705" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25293", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25293" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25293" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Out-of-bounds read in SGI RLE image reader" }, { "cve": "CVE-2021-27515", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934474" } ], "notes": [ { "category": "description", "text": "An input validation flaw exists in the node.js-url-parse, which results in the URL being incorrectly set to the document location protocol instead of the URL being passed as an argument. This flaw allows an attacker to bypass security checks on URLs. The highest threat from this vulnerability is to integrity. This is an incomplete fix for CVE-2020-8124.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27515" }, { "category": "external", "summary": "RHBZ#1934474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934474" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27515", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27515" } ], "release_date": "2021-02-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise" }, { "cve": "CVE-2021-27516", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934470" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-urijs where URI.js (urijs) mishandles certain uses of the backslash such as http:\\/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes the urijs dependency in it\u0027s package.lock file but it\u0027s not used anywhere in the code.\n\nRed Hat Advanced Cluster Management for Kubernetes uses Quay as a service, but not code from Quay that exists in RHACM.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27516" }, { "category": "external", "summary": "RHBZ#1934470", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934470" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27516", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27516" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27516", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27516" } ], "release_date": "2021-02-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise" }, { "cve": "CVE-2021-27921", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935384" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in BLP image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27921" }, { "category": "external", "summary": "RHBZ#1935384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935384" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27921", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27921" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27921" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in BLP image reader" }, { "cve": "CVE-2021-27922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935396" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in ICNS image reader", "title": "Vulnerability summary" }, { "category": "other", "text": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27922" }, { "category": "external", "summary": "RHBZ#1935396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935396" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27922", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27922" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in ICNS image reader" }, { "cve": "CVE-2021-27923", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935401" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in ICO image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27923" }, { "category": "external", "summary": "RHBZ#1935401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27923", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27923" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in ICO image reader" }, { "cve": "CVE-2021-34552", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1982378" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the \"convert()\" or \"ImagingConvertTransparent()\" functions in Convert.c. The highest threat to this vulnerability is to system availability.\r\n\r\nIn Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Buffer overflow in image convert function", "title": "Vulnerability summary" }, { "category": "other", "text": "Due to the compiler options used, the buffer overflow is detected and the impact is lowered to a crash only. Additionally, the \"mode\" parameter has to be attacker controlled, which is considered a rare case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-34552" }, { "category": "external", "summary": "RHBZ#1982378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1982378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34552", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34552" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34552" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.\n\nRed Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.\n* Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from https://bugzilla.redhat.com/attachment.cgi?id=1819471\n* Stop services:\n# satellite-maintain service stop\n* Upgrade python2-daemon and remove affected package\n# rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm\n# yum remove python-pillow\n* Restart services:\n# satellite-maintain service start\n\nSatellite 6.10 future release is also fixing this.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Buffer overflow in image convert function" } ] }
rhsa-2020_3807
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Virtualization Engine 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The org.ovirt.engine-root is a core component of oVirt.\n\nThe following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)\n\nA list of bugs fixed in this update is available in the Technical Notes\nbook:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes\n\nSecurity Fix(es):\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\n* ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)\n\n* VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)\n\n* RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)\n\n* On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)\n\n* Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)\n\n* Scheduling Memory calculation disregards huge-pages (BZ#1804037)\n\n* Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)\n\n* In Admin Portal, \"Huge Pages (size: amount)\" needs to be clarified (BZ#1806339)\n\n* Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)\n\n* Unable to create Windows VM\u0027s with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)\n\n* [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)\n\n* [CNV\u0026RHV] Add-Disk operation failed to complete. (BZ#1855377)\n\n* Cannot create KubeVirt VM as a normal user (BZ#1859460)\n\n* Welcome page - remove Metrics Store links and update \"Insights Guide\" link (BZ#1866466)\n\n* [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)\n\n* VM vm-name is down with error. Exit message: unsupported configuration: Can\u0027t add USB input device. USB bus is disabled. (BZ#1871235)\n\n* spec_ctrl host feature not detected (BZ#1875609)\n\nEnhancement(s):\n\n* [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)\n\n* [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)\n\n* [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)\n\n* [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:3807", "url": "https://access.redhat.com/errata/RHSA-2020:3807" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1625499", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1625499" }, { "category": "external", "summary": "1638217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1638217" }, { "category": "external", "summary": "1643520", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643520" }, { "category": "external", "summary": "1674420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1674420" }, { "category": "external", "summary": "1748879", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1748879" }, { "category": "external", "summary": "1749803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1749803" }, { "category": "external", "summary": "1758024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758024" }, { "category": "external", "summary": "1763812", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1763812" }, { "category": "external", "summary": "1778471", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1778471" }, { "category": "external", "summary": "1787854", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1787854" }, { "category": "external", "summary": "1801206", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801206" }, { "category": "external", "summary": "1803856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1803856" }, { "category": "external", "summary": "1804037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804037" }, { "category": "external", "summary": "1804046", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804046" }, { "category": "external", "summary": "1806339", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1806339" }, { "category": "external", "summary": "1816951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816951" }, { "category": "external", "summary": "1819260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819260" }, { "category": "external", "summary": "1826255", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826255" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1831949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831949" }, { "category": "external", "summary": "1831952", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831952" }, { "category": "external", "summary": "1831954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831954" }, { "category": "external", "summary": "1831956", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831956" }, { "category": "external", "summary": "1838051", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838051" }, { "category": "external", "summary": "1841112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1841112" }, { "category": "external", "summary": "1843234", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843234" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "1854488", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854488" }, { "category": "external", "summary": "1855377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855377" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1858184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858184" }, { "category": "external", "summary": "1859460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859460" }, { "category": "external", "summary": "1860907", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860907" }, { "category": "external", "summary": "1866466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866466" }, { "category": "external", "summary": "1866734", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866734" }, { "category": "external", "summary": "1869209", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869209" }, { "category": "external", "summary": "1869302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869302" }, { "category": "external", "summary": "1871235", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871235" }, { "category": "external", "summary": "1875609", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875609" }, { "category": "external", "summary": "1875851", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875851" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2020/rhsa-2020_3807.json" } ], "title": "Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-09-18T04:26:59+00:00", "generator": { "date": "2024-09-18T04:26:59+00:00", "engine": { "name": "Red Hat SDEngine", "version": "3.33.3" } }, "id": "RHSA-2020:3807", "initial_release_date": "2020-09-23T16:12:36+00:00", "revision_history": [ { "date": "2020-09-23T16:12:36+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-09-23T16:12:36+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-09-18T04:26:59+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "ansible-runner-service-0:1.0.5-1.el8ev.noarch", "product": { "name": "ansible-runner-service-0:1.0.5-1.el8ev.noarch", "product_id": "ansible-runner-service-0:1.0.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-runner-service@1.0.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "product": { "name": "ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "product_id": "ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.3-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "product": { "name": "rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "product_id": "rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-dependencies@4.4.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "product": { "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "product_id": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/vdsm-jsonrpc-java@1.5.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "product_id": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.3-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "product": { "name": "ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "product_id": "ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.2.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-grafana-integration-setup@4.4.2.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-setup@4.4.2.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.2.3-0.6.el8ev.noarch", "product": { "name": "rhvm-0:4.4.2.3-0.6.el8ev.noarch", "product_id": "rhvm-0:4.4.2.3-0.6.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.2.3-0.6.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap-setup@1.4.1-1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ansible-runner-service-0:1.0.5-1.el8ev.src", "product": { "name": "ansible-runner-service-0:1.0.5-1.el8ev.src", "product_id": "ansible-runner-service-0:1.0.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-runner-service@1.0.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.3-1.el8ev.src", "product": { "name": "ovirt-log-collector-0:4.4.3-1.el8ev.src", "product_id": "ovirt-log-collector-0:4.4.3-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.3-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhvm-dependencies-0:4.4.1-1.el8ev.src", "product": { "name": "rhvm-dependencies-0:4.4.1-1.el8ev.src", "product_id": "rhvm-dependencies-0:4.4.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-dependencies@4.4.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src", "product": { "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src", "product_id": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/vdsm-jsonrpc-java@1.5.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "product_id": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.3-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.4-1.el8ev.src", "product": { "name": "ovirt-web-ui-0:1.6.4-1.el8ev.src", "product_id": "ovirt-web-ui-0:1.6.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "product": { "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "product_id": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.2.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "product_id": "ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.2.3-0.6.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.1-1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-runner-service-0:1.0.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch" }, "product_reference": "ansible-runner-service-0:1.0.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-runner-service-0:1.0.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src" }, "product_reference": "ansible-runner-service-0:1.0.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.2.3-0.6.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src" }, "product_reference": "ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch" }, "product_reference": "ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.3-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src" }, "product_reference": "ovirt-log-collector-0:4.4.3-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch" }, "product_reference": "ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" }, "product_reference": "ovirt-web-ui-0:1.6.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.2.3-0.6.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.2.3-0.6.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-dependencies-0:4.4.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch" }, "product_reference": "rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-dependencies-0:4.4.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src" }, "product_reference": "rhvm-dependencies-0:4.4.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch" }, "product_reference": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" }, "product_reference": "vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3807" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3807" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3807" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "acknowledgments": [ { "names": [ "Chen Huiliang", "Chen RuiQi" ], "organization": "Qianxin CodeSafe Team" } ], "cve": "CVE-2020-14333", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-07-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1858184" } ], "notes": [ { "category": "description", "text": "A flaw was found in the web interface of ovirt-engine 4.4.2 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user\u0027s cookies or other confidential information, or impersonate them within the application\u0027s context.", "title": "Vulnerability description" }, { "category": "summary", "text": "ovirt-engine: Reflected cross site scripting vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ansible-runner-service-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.4-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-dependencies-0:4.4.1-1.el8ev.src", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.noarch", "8Base-RHV-S-4.4:vdsm-jsonrpc-java-0:1.5.5-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14333" }, { "category": "external", "summary": "RHBZ#1858184", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858184" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14333", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14333" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14333", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14333" } ], "release_date": "2020-08-17T09:30:00+00:00", "remediations": [ { "category": "vendor_fix", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:3807" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.2.3-0.6.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.2.3-0.6.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.2.3-0.6.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ovirt-engine: Reflected cross site scripting vulnerability" } ] }
ghsa-p6mc-m468-83gw
Vulnerability from github
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick
, set
, setWith
, update
, updateWith
, and zipObjectDeep
allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "(lodash).pick", "(lodash).set", "(lodash).setWith", "(lodash).update", "(lodash).updateWith", "(lodash).zipObjectDeep" ] }, "package": { "ecosystem": "npm", "name": "lodash" }, "ranges": [ { "events": [ { "introduced": "3.7.0" }, { "fixed": "4.17.19" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash).pick", "(lodash).set", "(lodash).setWith", "(lodash).update", "(lodash).updateWith", "(lodash).zipObjectDeep" ] }, "package": { "ecosystem": "npm", "name": "lodash-es" }, "ranges": [ { "events": [ { "introduced": "3.7.0" }, { "fixed": "4.17.20" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash.pick)" ] }, "package": { "ecosystem": "npm", "name": "lodash.pick" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "last_affected": "4.4.0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash.set)" ] }, "package": { "ecosystem": "npm", "name": "lodash.set" }, "ranges": [ { "events": [ { "introduced": "3.7.0" }, { "last_affected": "4.3.2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash.setwith)" ] }, "package": { "ecosystem": "npm", "name": "lodash.setwith" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "4.3.2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash.update)" ] }, "package": { "ecosystem": "npm", "name": "lodash.update" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "4.10.2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(lodash.updatewith)" ] }, "package": { "ecosystem": "npm", "name": "lodash.updatewith" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "4.10.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-8203" ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-07-15T19:14:58Z", "nvd_published_at": "2020-07-15T17:15:00Z", "severity": "HIGH" }, "details": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", "id": "GHSA-p6mc-m468-83gw", "modified": "2023-10-24T20:06:48Z", "published": "2020-07-15T19:15:48Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/issues/4744" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/issues/4874" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/pull/2884" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" }, { "type": "WEB", "url": "https://hackerone.com/reports/712065" }, { "type": "WEB", "url": "https://hackerone.com/reports/864701" }, { "type": "PACKAGE", "url": "https://github.com/lodash/lodash" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200724-0006" }, { "type": "WEB", "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Prototype Pollution in lodash" }
gsd-2020-8203
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2020-8203", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "id": "GSD-2020-8203", "references": [ "https://access.redhat.com/errata/RHSA-2021:3917", "https://access.redhat.com/errata/RHSA-2020:5611", "https://access.redhat.com/errata/RHSA-2020:5179", "https://access.redhat.com/errata/RHSA-2020:4298", "https://access.redhat.com/errata/RHSA-2020:3807", "https://access.redhat.com/errata/RHSA-2020:3370", "https://access.redhat.com/errata/RHSA-2020:3369" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2020-8203" ], "details": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "id": "GSD-2020-8203", "modified": "2023-12-13T01:21:53.494578Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8203", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "lodash", "version": { "version_data": [ { "version_value": "Not Fixed" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Allocation of Resources Without Limits or Throttling (CWE-770)" } ] } ] }, "references": { "reference_data": [ { "name": "https://hackerone.com/reports/712065", "refsource": "MISC", "url": "https://hackerone.com/reports/712065" }, { "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20200724-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "name": "https://github.com/lodash/lodash/issues/4874", "refsource": "MISC", "url": "https://github.com/lodash/lodash/issues/4874" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c4.17.20", "affected_versions": "All versions before 4.17.20", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-1321", "CWE-78", "CWE-937" ], "date": "2022-03-11", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "fixed_versions": [ "4.17.20" ], "identifier": "CVE-2020-8203", "identifiers": [ "GHSA-p6mc-m468-83gw", "CVE-2020-8203" ], "not_impacted": "All versions starting from 4.17.20", "package_slug": "npm/lodash-es", "pubdate": "2020-07-15", "solution": "Upgrade to version 4.17.20 or above.", "title": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)", "urls": [ "https://github.com/lodash/lodash/issues/4744", "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", "https://www.npmjs.com/advisories/1523", "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "https://hackerone.com/reports/712065", "https://security.netapp.com/advisory/ntap-20200724-0006/", "https://github.com/lodash/lodash/issues/4874", "https://www.oracle.com/security-alerts/cpuApr2021.html", "https://www.oracle.com//security-alerts/cpujul2021.html", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://github.com/advisories/GHSA-p6mc-m468-83gw" ], "uuid": "3772099d-33c9-4fe2-93fb-ad3eb9635b44" }, { "affected_range": "\u003c4.17.20", "affected_versions": "All versions before 4.17.20", "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-1321", "CWE-937" ], "date": "2021-12-02", "description": "Prototype pollution attack when using `_.zipObjectDeep` in lodash.", "fixed_versions": [ "4.17.20" ], "identifier": "CVE-2020-8203", "identifiers": [ "CVE-2020-8203" ], "not_impacted": "All versions starting from 4.17.20", "package_slug": "npm/lodash", "pubdate": "2020-07-15", "solution": "Upgrade to version 4.17.20 or above.", "title": "Object Prototype Pollution", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "https://github.com/lodash/lodash/issues/4874" ], "uuid": "1f7fa42b-6b17-46b7-88a5-8995b43d298f" } ] }, "nvd.nist.gov": { "cve": { "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5320B76A-C335-4F3B-A589-73CC64033FFB", "versionEndExcluding": "4.17.20", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0CF9A061-2421-426D-9854-0A4E55B2961D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B72B735F-4E52-484A-9C2C-23E6E2070385", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B36A1D4-F391-4EE3-9A65-0A10568795BA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0275F820-40BE-47B8-B167-815A55DF578E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C8E145E-1DF0-4B18-B625-F04DF71F6ACF", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "EABAFD73-150F-4DFE-B721-29EB4475D979", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8A45D47B-3401-49CF-92EE-79D007D802A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "33605127-1352-4285-AE96-B51156B70613", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA7423C4-7016-429B-997F-61E7AEB8F696", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7BC8689-5E87-43FE-ADE8-5907F581B08E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A8420D4-AAF1-44AA-BF28-48EE3ED310B9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2FB80AC5-35F2-4703-AD93-416B46972EEB", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "19DAAEFF-AB4A-4D0D-8C86-D2F2811B53B1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E14324D-B9EE-4C06-ACC7-255189ED6300", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B185C1EA-71E6-4972-8637-08A33CC00841", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D1534C11-E3F5-49F3-8F8D-7C5C90951E69", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1111BCFD-E336-4B31-A87E-76C684AC6DE4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "matchCriteriaId": "790A89FD-6B86-49AE-9B4F-AE7262915E13", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39D442D-1997-49AF-8B02-5640BE2A26CC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC7DB86F-3FAA-43C1-9C44-7CC5FB34419E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "9C416FD3-2E2F-4BBC-BD5F-F896825883F4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D886339E-EDB2-4879-BD54-1800E4CA9CAE", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "62A561CF-09BE-4EDB-AAB7-4B057C0B0E44", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "ECF63433-30CC-4E0D-B66A-FD160111763B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F2BFCE3-D743-4AC6-8FEC-75CAF66BFB65", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "B8D05530-BFC7-4652-B387-BC931F43AB5B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "348EEE70-E114-4720-AAAF-E77DE5C9A2D1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3DCDD73B-57B1-4580-B922-5662E3AC13B6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*", "matchCriteriaId": "4B317147-064A-4786-B3D6-CDE1653E067E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "9722362B-027B-4311-8F3A-287AE1199019", "versionEndIncluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.12.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "301E7158-9090-467C-B3B4-30A8DB3B395D", "versionEndIncluding": "18.8.12", "versionStartIncluding": "18.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBEFACB1-C8EA-492B-8F85-A564DB363C83", "versionEndIncluding": "19.12.11", "versionStartIncluding": "19.12.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792", "versionEndIncluding": "20.12.7", "versionStartIncluding": "20.12.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20." }, { "lang": "es", "value": "Un ataque de contaminaci\u00f3n de prototipo cuando se utiliza _.zipObjectDeep en lodash versiones anteriores a 4.17.20" } ], "id": "CVE-2020-8203", "lastModified": "2024-01-21T02:37:13.193", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-07-15T17:15:11.797", "references": [ { "source": "support@hackerone.com", "tags": [ "Issue Tracking", "Vendor Advisory" ], "url": "https://github.com/lodash/lodash/issues/4874" }, { "source": "support@hackerone.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://hackerone.com/reports/712065" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-1321" } ], "source": "nvd@nist.gov", "type": "Primary" }, { "description": [ { "lang": "en", "value": "CWE-770" } ], "source": "support@hackerone.com", "type": "Secondary" } ] } } } }
var-202007-1448
Vulnerability from variot
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. lodash Is vulnerable to resource allocation without restrictions or throttling.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. lodash is an open source JavaScript utility library. An input validation error vulnerability exists in lodash 4.17.15 and earlier versions. A remote attacker could exploit this vulnerability to execute arbitrary code on the system via the 'merge', 'mergeWith' and 'defaultsDeep' functions. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Bug Fix(es):
-
Previously, upgrade from Red Had Virtualization (RHV) 4.4.1 to RHV 4.4.2 failed due to dangling symlinks from the iSCSI Storage Domain that weren't cleaned up. In this release, the upgrade succeeds. (BZ#1895356)
-
Previously, when migrating a Windows virtual machine from a VMware environment to Red Hat Virtualization 4.4.3, the migration failed due to a file permission error. In this release, the migration succeeds. (BZ#1901423)
-
Bugs fixed (https://bugzilla.redhat.com/):
1835685 - [Hosted-Engine]"Installation Guide" and "RHV Documents" didn't jump to the correct pages in hosted engine page. 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1895356 - Upgrade to 4.4.2 will fail due to dangling symlinks 1895762 - cockpit ovirt(downstream) docs links point to upstream docs. 1896536 - CVE-2015-8011 lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c 1898023 - Rebase RHV-H 4.4.3 on RHEL 8.3.0.1 1898024 - Rebase RHV-H 4.4.3 on RHGS-3.5.z Batch #3 1901423 - [v2v] leaking USER and HOME environment from root causes virt-v2v error: failure: Unexpected file type which prevents VM migration 1902301 - Upgrade cockpit-ovirt to 0.14.14
- Solution:
For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html.
Bug Fix(es):
-
send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)
-
Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)
-
If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)
-
Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)
-
[Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)
-
enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)
-
NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)
-
Adding quota to group doesn't propagate to users (BZ#1822372)
-
Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)
-
Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)
-
RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)
-
Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)
-
rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
-
RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)
-
Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)
-
HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
-
[CNV&RHV]Notification about VM creation contain
string (BZ#1873136) -
VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)
-
Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)
-
unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)
-
[CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)
-
Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
-
[CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
-
Require ansible-2.9.14 in ovirt-engine (BZ#1888626)
Enhancement(s):
-
[RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
-
[RFE] - enable renaming HostedEngine VM name (BZ#1657294)
-
[RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
-
[RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)
-
[RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
-
[RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)
-
[RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)
-
Bugs fixed (https://bugzilla.redhat.com/):
1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092
1657294 - [RFE] - enable renaming HostedEngine VM name
1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary
1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
1797717 - Search backend cannot find VMs which name starts with a search keyword
1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host
1822372 - Adding quota to group doesn't propagate to users
1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID
1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab.
1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase
1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1859314 - rhv-log-collector-analyzer --json fails with TypeError
1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
1866981 - obj must be encoded before hashing
1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch
1871694 - HostedEngine VM is broken after Cluster changed to UEFI
1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
1873136 - [CNV&RHV]Notification about VM creation contain
- Description:
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Virtualization security, bug fix, and enhancement update Advisory ID: RHSA-2020:3807-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2020:3807 Issue date: 2020-09-23 CVE Names: CVE-2020-8203 CVE-2020-11022 CVE-2020-11023 CVE-2020-14333 ==================================================================== 1. Summary:
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
- Description:
The org.ovirt.engine-root is a core component of oVirt.
The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)
A list of bugs fixed in this update is available in the Technical Notes book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht ml-single/technical_notes
Security Fix(es):
-
nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
-
jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
-
jQuery: passing HTML containing
-
ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
-
Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)
-
VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)
-
RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)
-
On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)
-
Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)
-
Scheduling Memory calculation disregards huge-pages (BZ#1804037)
-
Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)
-
In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339)
-
Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)
-
Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)
-
[RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)
-
[CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)
-
Cannot create KubeVirt VM as a normal user (BZ#1859460)
-
Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466)
-
[RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)
-
VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235)
-
spec_ctrl host feature not detected (BZ#1875609)
Enhancement(s):
-
[RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)
-
[RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)
-
[RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)
-
[RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
- Bugs fixed (https://bugzilla.redhat.com/):
1625499 - Cannot assign direct LUN from FC storage - grayed out 1638217 - VM portal always asks how to open console.vv even it has been set to default application. 1643520 - RESTAPI Not able to remove the QoS from a disk profile 1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge) 1748879 - On OVA import, qemu-img fails to write to NFS storage domain 1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks 1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied 1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots 1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users. 1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label. 1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI 1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment. 1804037 - Scheduling Memory calculation disregards huge-pages 1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. 1806339 - In Admin Portal, "Huge Pages (size: amount)" needs to be clarified 1816951 - [CNV&RHV] CNV VM migration failure is not handled correctly by the engine 1819260 - [RFE] enhance search filter for Storage Domains with free argument 1826255 - [CNV&RHV]Change name of type of provider - CNV -> OpenShift Virtualization 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC 1831952 - RESTAPI contains malformed link around JSON representation fo the cluster 1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent 1831956 - RESTAPI javadoc contains malformed link around time zone representation 1838051 - Refresh LUN is using host from different Data Center to scan the LUN 1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory 1843234 - Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal 1850004 - CVE-2020-11023 jQuery: passing HTML containing
- Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ansible-runner-service-1.0.5-1.el8ev.src.rpm ovirt-engine-4.4.2.3-0.6.el8ev.src.rpm ovirt-engine-dwh-4.4.2.1-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.3-1.el8ev.src.rpm ovirt-log-collector-4.4.3-1.el8ev.src.rpm ovirt-web-ui-1.6.4-1.el8ev.src.rpm rhvm-branding-rhv-4.4.5-1.el8ev.src.rpm rhvm-dependencies-4.4.1-1.el8ev.src.rpm vdsm-jsonrpc-java-1.5.5-1.el8ev.src.rpm
noarch: ansible-runner-service-1.0.5-1.el8ev.noarch.rpm ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-backend-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-dwh-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.1-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-restapi-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-tools-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.3-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-log-collector-4.4.3-1.el8ev.noarch.rpm ovirt-web-ui-1.6.4-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.2.3-0.6.el8ev.noarch.rpm rhvm-4.4.2.3-0.6.el8ev.noarch.rpm rhvm-branding-rhv-4.4.5-1.el8ev.noarch.rpm rhvm-dependencies-4.4.1-1.el8ev.noarch.rpm vdsm-jsonrpc-java-1.5.5-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2020-14333 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX2t0HtzjgjWX9erEAQhpWg/+KolNmhmQCrst8TmYsC2IgSdHP+q0LKLj gdPZYu0ixOpwLLiAhrsoDXqL3H3w7UDSKkSISgPMEqEde4Vp+zI37O1q3E/P7CAj rfLGuL1UDEiy0q0g1BP13GrPlg6K4fR5wQAnTB6vD/ZY+wd50Z0T+NGAxd2w68bM R5q1kSOUPc4AZt25FORU2cmp775Y7DWazMWHC77uiJHgyCwVqLtdO09iEnglZDKJ BynwyT8exZKXxmmpE4QZ4X7wNo3Y0mTiRZo5eyxxQpwj9X+qw1V+pBdtMH/C1yhk J+X1f+wDoe2jCx2bqPXqp6EgFSHnJNt96jV0oTdD0f8rMgWcBDStNXdagPBmBCBp t+Kq3BZx0Oqkig4f+DCEmoS0V0fB9UQLg0Q/M9p1bTfYQkbn+BMHL7CAp8UyAzPH A1HlnP7TtQgplFvoap82xt2pXh97VvI6x3sBGHyW4Fz0SykhRYx3dAgmqy5nEssl 5ApWZ87M3l+2tUh4ZOJAtzRDt9sL5KQsXjp1jZaK/gWBsL4Suzr9AIrs4NmRmXnY TzxdXgIY6C+dWmB4TPhcJE5etcvtorqvs93d47yBdpRyO/IlbEw0vLUBdVZZuj9N mqp6RcHqDKm6Yv4B73Ud5my44wSRWVWtBxO6fivQOQG7iqCyIlA3M3LUMkVy+fxc bvmOI0eIsZw=Jhpi -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/):
PROJQUAY-1417 - zstd compressed layers PROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay PROJQUAY-1535 - As a user I can create and use nested repository name structures PROJQUAY-1583 - add "disconnected" annotation to operators PROJQUAY-1609 - Operator communicates status per managed component PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment PROJQUAY-1791 - v1beta CRD EOL PROJQUAY-1883 - Support OCP Re-encrypt routes PROJQUAY-1887 - allow either sha or tag in related images PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment. PROJQUAY-1998 - note database deprecations in 3.6 Config Tool PROJQUAY-2050 - Support OCP Edge-Termination PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install
6
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202007-1448", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "banking corporate lending process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "communications session border controller", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.4" }, { "model": "communications cloud native core policy", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.11.0" }, { "model": "banking supply chain finance", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "communications billing and revenue management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.0.0.3.0" }, { "model": "banking extensibility workbench", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "17.12.0" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "19.12.11" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "20.12.7" }, { "model": "banking liquidity management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "communications billing and revenue management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "7.5.0.23.0" }, { "model": "banking credit facilities process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "banking virtual account management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "banking extensibility workbench", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "banking corporate lending process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "banking trade finance process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "communications subscriber-aware load balancer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "cz8.3" }, { "model": "banking credit facilities process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "banking virtual account management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "18.8.12" }, { "model": "communications session border controller", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "cz8.4" }, { "model": "banking supply chain finance", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "banking trade finance process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "lodash", "scope": "lt", "trust": 1.0, "vendor": "lodash", "version": "4.17.20" }, { "model": "enterprise communications broker", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "3.3.0" }, { "model": "jd edwards enterpriseone tools", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "9.2.6.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "20.12.0" }, { "model": "communications session router", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "cz8.4" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "17.12.11" }, { "model": "peoplesoft enterprise peopletools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.59" }, { "model": "communications subscriber-aware load balancer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "cz8.4" }, { "model": "banking supply chain finance", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "banking extensibility workbench", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "banking liquidity management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "18.8.0" }, { "model": "enterprise communications broker", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "pcz3.3" }, { "model": "banking corporate lending process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5.0" }, { "model": "communications session border controller", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.0" }, { "model": "blockchain platform", "scope": "lt", "trust": 1.0, "vendor": "oracle", "version": "21.1.2" }, { "model": "enterprise communications broker", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "3.2.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "19.12.0" }, { "model": "banking credit facilities process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "banking virtual account management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "peoplesoft enterprise peopletools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.58" }, { "model": "banking liquidity management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.2.0" }, { "model": "banking trade finance process management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "lodash", "scope": "eq", "trust": 0.8, "vendor": "lodash", "version": "4.17.15" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "4.17.20", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.12.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "20.12.7", "versionStartIncluding": "20.12.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "19.12.11", "versionStartIncluding": "19.12.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "18.8.12", "versionStartIncluding": "18.8.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "9.2.6.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "21.1.2", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2020-8203" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "160589" }, { "db": "PACKETSTORM", "id": "159727" }, { "db": "PACKETSTORM", "id": "160209" }, { "db": "PACKETSTORM", "id": "158797" }, { "db": "PACKETSTORM", "id": "158796" }, { "db": "PACKETSTORM", "id": "159275" }, { "db": "PACKETSTORM", "id": "164555" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" } ], "trust": 1.3 }, "cve": "CVE-2020-8203", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "impactScore": 4.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Medium", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.8, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-008656", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "id": "VHN-186328", "impactScore": 4.9, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULMON", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "id": "CVE-2020-8203", "impactScore": 4.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "MEDIUM", "trust": 0.1, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 2.2, "impactScore": 5.2, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, { "attackComplexity": "High", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.4, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-008656", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2020-8203", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "JVNDB-2020-008656", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-202007-1043", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-186328", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2020-8203", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-186328" }, { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. lodash Is vulnerable to resource allocation without restrictions or throttling.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. lodash is an open source JavaScript utility library. An input validation error vulnerability exists in lodash 4.17.15 and earlier versions. A remote attacker could exploit this vulnerability to execute arbitrary code on the system via the \u0027merge\u0027, \u0027mergeWith\u0027 and \u0027defaultsDeep\u0027 functions. These packages include redhat-release-virtualization-host,\novirt-node, and rhev-hypervisor. RHVH features a Cockpit user\ninterface for monitoring the host\u0027s resources and performing administrative\ntasks. These\npackages include redhat-release-virtualization-host, ovirt-node, and\nrhev-hypervisor. RHVH features a Cockpit user interface for\nmonitoring the host\u0027s resources and performing administrative tasks. \n\nBug Fix(es):\n\n* Previously, upgrade from Red Had Virtualization (RHV) 4.4.1 to RHV 4.4.2\nfailed due to dangling symlinks from the iSCSI Storage Domain that weren\u0027t\ncleaned up. In this release, the upgrade succeeds. (BZ#1895356)\n\n* Previously, when migrating a Windows virtual machine from a VMware\nenvironment to Red Hat Virtualization 4.4.3, the migration failed due to a\nfile permission error. In this release, the migration succeeds. \n(BZ#1901423)\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1835685 - [Hosted-Engine]\"Installation Guide\" and \"RHV Documents\" didn\u0027t jump to the correct pages in hosted engine page. \n1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function\n1895356 - Upgrade to 4.4.2 will fail due to dangling symlinks\n1895762 - cockpit ovirt(downstream) docs links point to upstream docs. \n1896536 - CVE-2015-8011 lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c\n1898023 - Rebase RHV-H 4.4.3 on RHEL 8.3.0.1\n1898024 - Rebase RHV-H 4.4.3 on RHGS-3.5.z Batch #3\n1901423 - [v2v] leaking USER and HOME environment from root causes virt-v2v error: failure: Unexpected file type which prevents VM migration\n1902301 - Upgrade cockpit-ovirt to 0.14.14\n\n6. Solution:\n\nFor OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -cli.html. \n\nBug Fix(es):\n\n* send --nowait to libvirt when we collect qemu stats, to consume\nbz#1552092 (BZ#1613514)\n\n* Block moving HE hosts into different Data Centers and make HE host moved\nto different cluster NonOperational after activation (BZ#1702016)\n\n* If an in-use MAC is held by a VM on a different cluster, the engine does\nnot attempt to get the next free MAC. (BZ#1760170)\n\n* Search backend cannot find VMs which name starts with a search keyword\n(BZ#1797717)\n\n* [Permissions] DataCenterAdmin role defined on DC level does not allow\nCluster creation (BZ#1808320)\n\n* enable-usb-autoshare is always 0 in console.vv and usb-filter option is\nlisted two times (BZ#1811466)\n\n* NumaPinningHelper is not huge pages aware, denies migration to suitable\nhost (BZ#1812316)\n\n* Adding quota to group doesn\u0027t propagate to users (BZ#1822372)\n\n* Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35\nTemplate (BZ#1829691)\n\n* Live Migration Bandwidth unit is different from Engine configuration\n(Mbps) and VDSM (MBps) (BZ#1845397)\n\n* RHV-M shows successful operation if OVA export/import failed during\n\"qemu-img convert\" phase (BZ#1854888)\n\n* Cannot hotplug disk reports libvirtError: Requested operation is not\nvalid: Domain already contains a disk with that address (BZ#1855305)\n\n* rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)\n\n* RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run\n(BZ#1866862)\n\n* Issue with dashboards creation when sending metrics to external\nElasticsearch (BZ#1870133)\n\n* HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)\n\n* [CNV\u0026RHV]Notification about VM creation contain \u003cUNKNOWN\u003e string\n(BZ#1873136)\n\n* VM stuck in Migrating status after migration completed due to incorrect\nstatus reported by VDSM after restart (BZ#1877632)\n\n* Use 4.5 as compatibility level for the Default DataCenter and the Default\nCluster during installation (BZ#1879280)\n\n* unable to create/add index pattern in step 5 from kcs articles#4921101\n(BZ#1881634)\n\n* [CNV\u0026RHV] Remove warning about no active storage domain for Kubevirt VMs\n(BZ#1883844)\n\n* Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)\n\n* [CNV\u0026RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)\n\n* Require ansible-2.9.14 in ovirt-engine (BZ#1888626)\n\nEnhancement(s):\n\n* [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)\n\n* [RFE] - enable renaming HostedEngine VM name (BZ#1657294)\n\n* [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)\n\n* [RFE] Show vCPUs and allocated memory in virtual machines summary\n(BZ#1752751)\n\n* [RFE] RHV-M Deployment/Install Needs it\u0027s own UUID (BZ#1825020)\n\n* [RFE] Destination Host in migrate VM dialog has to be searchable and\nsortable (BZ#1851865)\n\n* [RFE] Expose the \"reinstallation required\" flag of the hosts in the API\n(BZ#1856671)\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092\n1657294 - [RFE] - enable renaming HostedEngine VM name\n1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password\n1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation\n1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary\n1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. \n1797717 - Search backend cannot find VMs which name starts with a search keyword\n1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation\n1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times\n1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host\n1822372 - Adding quota to group doesn\u0027t propagate to users\n1825020 - [RFE] RHV-M Deployment/Install Needs it\u0027s own UUID\n1828241 - Deleting snapshot do not display a lock for it\u0027s disks under \"Disk Snapshots\" tab. \n1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template\n1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery. \n1845432 - [CNV\u0026RHV] Communicatoin with CNV cluster spamming engine.log when token is expired\n1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable\n1854888 - RHV-M shows successful operation if OVA export/import failed during \"qemu-img convert\" phase\n1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address\n1856671 - [RFE] Expose the \"reinstallation required\" flag of the hosts in the API\n1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function\n1859314 - rhv-log-collector-analyzer --json fails with TypeError\n1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa\n1866981 - obj must be encoded before hashing\n1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch\n1871694 - HostedEngine VM is broken after Cluster changed to UEFI\n1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9\n1873136 - [CNV\u0026RHV]Notification about VM creation contain \u003cUNKNOWN\u003e string\n1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating\n1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart\n1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade\n1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import\n1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation\n1879377 - [DWH] Rebase bug - for the 4.4.3 release\n1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101\n1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS\n1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution\n1883844 - [CNV\u0026RHV] Remove warning about no active storage domain for Kubevirt VMs\n1884146 - Deprecate and remove ovirt-engine-api-explorer\n1884634 - [CNV\u0026RHV] Disable creating new disks for Kubevirt VM\n1885976 - rhv-log-collector-analyzer - argument must be str, not bytes\n1887268 - Cannot perform yum update on my RHV manager (ansible conflict)\n1888626 - Require ansible-2.9.14 in ovirt-engine\n1889522 - metrics playbooks are broken due to typo\n\n6. Description:\n\nRed Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio\nservice mesh project, tailored for installation into an on-premise\nOpenShift Container Platform installation. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: Red Hat Virtualization security, bug fix, and enhancement update\nAdvisory ID: RHSA-2020:3807-01\nProduct: Red Hat Virtualization\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:3807\nIssue date: 2020-09-23\nCVE Names: CVE-2020-8203 CVE-2020-11022 CVE-2020-11023\n CVE-2020-14333\n====================================================================\n1. Summary:\n\nAn update is now available for Red Hat Virtualization Engine 4.4. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch\n\n3. Description:\n\nThe org.ovirt.engine-root is a core component of oVirt. \n\nThe following packages have been upgraded to a later upstream version:\nansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3),\novirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1),\novirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3),\novirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1),\nvdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)\n\nA list of bugs fixed in this update is available in the Technical Notes\nbook:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht\nml-single/technical_notes\n\nSecurity Fix(es):\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function\n(CVE-2020-8203)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter\nmethod (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods\ncould result in untrusted code execution (CVE-2020-11023)\n\n* ovirt-engine: Reflected cross site scripting vulnerability\n(CVE-2020-14333)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nBug Fix(es):\n\n* Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)\n\n* VM portal always asks how to open console.vv even it has been set to\ndefault application. (BZ#1638217)\n\n* RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)\n\n* On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)\n\n* Possible missing block path for a SCSI host device needs to be handled in\nthe UI (BZ#1801206)\n\n* Scheduling Memory calculation disregards huge-pages (BZ#1804037)\n\n* Engine does not reduce scheduling memory when a VM with dynamic hugepages\nruns. (BZ#1804046)\n\n* In Admin Portal, \"Huge Pages (size: amount)\" needs to be clarified\n(BZ#1806339)\n\n* Refresh LUN is using host from different Data Center to scan the LUN\n(BZ#1838051)\n\n* Unable to create Windows VM\u0027s with Mozilla Firefox version 74.0.1 and\ngreater for RHV-M GUI/Webadmin portal (BZ#1843234)\n\n* [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)\n\n* [CNV\u0026RHV] Add-Disk operation failed to complete. (BZ#1855377)\n\n* Cannot create KubeVirt VM as a normal user (BZ#1859460)\n\n* Welcome page - remove Metrics Store links and update \"Insights Guide\"\nlink (BZ#1866466)\n\n* [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)\n\n* VM vm-name is down with error. Exit message: unsupported configuration:\nCan\u0027t add USB input device. USB bus is disabled. (BZ#1871235)\n\n* spec_ctrl host feature not detected (BZ#1875609)\n\nEnhancement(s):\n\n* [RFE] API for changed blocks/sectors for a disk for incremental backup\nusage (BZ#1139877)\n\n* [RFE] Improve workflow for storage migration of VMs with multiple disks\n(BZ#1749803)\n\n* [RFE] Move the Remove VM button to the drop down menu when viewing\ndetails such as snapshots (BZ#1763812)\n\n* [RFE] enhance search filter for Storage Domains with free argument\n(BZ#1819260)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1625499 - Cannot assign direct LUN from FC storage - grayed out\n1638217 - VM portal always asks how to open console.vv even it has been set to default application. \n1643520 - RESTAPI Not able to remove the QoS from a disk profile\n1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge)\n1748879 - On OVA import, qemu-img fails to write to NFS storage domain\n1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks\n1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied\n1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots\n1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users. \n1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label. \n1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI\n1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment. \n1804037 - Scheduling Memory calculation disregards huge-pages\n1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. \n1806339 - In Admin Portal, \"Huge Pages (size: amount)\" needs to be clarified\n1816951 - [CNV\u0026RHV] CNV VM migration failure is not handled correctly by the engine\n1819260 - [RFE] enhance search filter for Storage Domains with free argument\n1826255 - [CNV\u0026RHV]Change name of type of provider - CNV -\u003e OpenShift Virtualization\n1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC\n1831952 - RESTAPI contains malformed link around JSON representation fo the cluster\n1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent\n1831956 - RESTAPI javadoc contains malformed link around time zone representation\n1838051 - Refresh LUN is using host from different Data Center to scan the LUN\n1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory\n1843234 - Unable to create Windows VM\u0027s with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal\n1850004 - CVE-2020-11023 jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution\n1854488 - [RHV-CNV] - NPE when creating new VM in cnv cluster\n1855377 - [CNV\u0026RHV] Add-Disk operation failed to complete. \n1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function\n1858184 - CVE-2020-14333 ovirt-engine: Reflected cross site scripting vulnerability\n1859460 - Cannot create KubeVirt VM as a normal user\n1860907 - Upgrade bundled GWT to 2.9.0\n1866466 - Welcome page - remove Metrics Store links and update \"Insights Guide\" link\n1866734 - [DWH] Rebase bug - for the 4.4.2 release\n1869209 - [RHV 4.4] Change in CPU model name after RHVH upgrade\n1869302 - ansible 2.9.12 - host deploy fixes\n1871235 - VM vm-name is down with error. Exit message: unsupported configuration: Can\u0027t add USB input device. USB bus is disabled. \n1875609 - spec_ctrl host feature not detected\n1875851 - Web Admin interface broken on Firefox ESR 68.11\n\n6. Package List:\n\nRHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:\n\nSource:\nansible-runner-service-1.0.5-1.el8ev.src.rpm\novirt-engine-4.4.2.3-0.6.el8ev.src.rpm\novirt-engine-dwh-4.4.2.1-1.el8ev.src.rpm\novirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.src.rpm\novirt-engine-ui-extensions-1.2.3-1.el8ev.src.rpm\novirt-log-collector-4.4.3-1.el8ev.src.rpm\novirt-web-ui-1.6.4-1.el8ev.src.rpm\nrhvm-branding-rhv-4.4.5-1.el8ev.src.rpm\nrhvm-dependencies-4.4.1-1.el8ev.src.rpm\nvdsm-jsonrpc-java-1.5.5-1.el8ev.src.rpm\n\nnoarch:\nansible-runner-service-1.0.5-1.el8ev.noarch.rpm\novirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-backend-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-dbscripts-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-dwh-4.4.2.1-1.el8ev.noarch.rpm\novirt-engine-dwh-grafana-integration-setup-4.4.2.1-1.el8ev.noarch.rpm\novirt-engine-dwh-setup-4.4.2.1-1.el8ev.noarch.rpm\novirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.noarch.rpm\novirt-engine-extension-aaa-ldap-setup-1.4.1-1.el8ev.noarch.rpm\novirt-engine-health-check-bundler-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-restapi-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-base-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-cinderlib-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-imageio-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-ovirt-engine-common-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-setup-plugin-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-tools-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-tools-backup-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-ui-extensions-1.2.3-1.el8ev.noarch.rpm\novirt-engine-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-webadmin-portal-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-engine-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm\novirt-log-collector-4.4.3-1.el8ev.noarch.rpm\novirt-web-ui-1.6.4-1.el8ev.noarch.rpm\npython3-ovirt-engine-lib-4.4.2.3-0.6.el8ev.noarch.rpm\nrhvm-4.4.2.3-0.6.el8ev.noarch.rpm\nrhvm-branding-rhv-4.4.5-1.el8ev.noarch.rpm\nrhvm-dependencies-4.4.1-1.el8ev.noarch.rpm\nvdsm-jsonrpc-java-1.5.5-1.el8ev.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-8203\nhttps://access.redhat.com/security/cve/CVE-2020-11022\nhttps://access.redhat.com/security/cve/CVE-2020-11023\nhttps://access.redhat.com/security/cve/CVE-2020-14333\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX2t0HtzjgjWX9erEAQhpWg/+KolNmhmQCrst8TmYsC2IgSdHP+q0LKLj\ngdPZYu0ixOpwLLiAhrsoDXqL3H3w7UDSKkSISgPMEqEde4Vp+zI37O1q3E/P7CAj\nrfLGuL1UDEiy0q0g1BP13GrPlg6K4fR5wQAnTB6vD/ZY+wd50Z0T+NGAxd2w68bM\nR5q1kSOUPc4AZt25FORU2cmp775Y7DWazMWHC77uiJHgyCwVqLtdO09iEnglZDKJ\nBynwyT8exZKXxmmpE4QZ4X7wNo3Y0mTiRZo5eyxxQpwj9X+qw1V+pBdtMH/C1yhk\nJ+X1f+wDoe2jCx2bqPXqp6EgFSHnJNt96jV0oTdD0f8rMgWcBDStNXdagPBmBCBp\nt+Kq3BZx0Oqkig4f+DCEmoS0V0fB9UQLg0Q/M9p1bTfYQkbn+BMHL7CAp8UyAzPH\nA1HlnP7TtQgplFvoap82xt2pXh97VvI6x3sBGHyW4Fz0SykhRYx3dAgmqy5nEssl\n5ApWZ87M3l+2tUh4ZOJAtzRDt9sL5KQsXjp1jZaK/gWBsL4Suzr9AIrs4NmRmXnY\nTzxdXgIY6C+dWmB4TPhcJE5etcvtorqvs93d47yBdpRyO/IlbEw0vLUBdVZZuj9N\nmqp6RcHqDKm6Yv4B73Ud5my44wSRWVWtBxO6fivQOQG7iqCyIlA3M3LUMkVy+fxc\nbvmOI0eIsZw=Jhpi\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. JIRA issues fixed (https://issues.jboss.org/):\n\nPROJQUAY-1417 - zstd compressed layers\nPROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay\nPROJQUAY-1535 - As a user I can create and use nested repository name structures\nPROJQUAY-1583 - add \"disconnected\" annotation to operators\nPROJQUAY-1609 - Operator communicates status per managed component\nPROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment\nPROJQUAY-1791 - v1beta CRD EOL\nPROJQUAY-1883 - Support OCP Re-encrypt routes\nPROJQUAY-1887 - allow either sha or tag in related images\nPROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment. \nPROJQUAY-1998 - note database deprecations in 3.6 Config Tool\nPROJQUAY-2050 - Support OCP Edge-Termination\nPROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly\nPROJQUAY-2102 - add clair-4.2 enrichment data to quay UI\nPROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install\n\n6", "sources": [ { "db": "NVD", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "VULHUB", "id": "VHN-186328" }, { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "PACKETSTORM", "id": "160589" }, { "db": "PACKETSTORM", "id": "159727" }, { "db": "PACKETSTORM", "id": "160209" }, { "db": "PACKETSTORM", "id": "158797" }, { "db": "PACKETSTORM", "id": "158796" }, { "db": "PACKETSTORM", "id": "159275" }, { "db": "PACKETSTORM", "id": "164555" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2020-8203", "trust": 3.3 }, { "db": "HACKERONE", "id": "712065", "trust": 1.8 }, { "db": "PACKETSTORM", "id": "158797", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "160589", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "160209", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "159275", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2020-008656", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202007-1043", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "164555", "trust": 0.7 }, { "db": "CS-HELP", "id": "SB2021072725", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021072145", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022041931", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021042310", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.4460", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.2715", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.3700", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.3255", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2023.3143", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3472", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.5150", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.4180", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.5790", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "158796", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-186328", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2020-8203", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "159727", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-186328" }, { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "PACKETSTORM", "id": "160589" }, { "db": "PACKETSTORM", "id": "159727" }, { "db": "PACKETSTORM", "id": "160209" }, { "db": "PACKETSTORM", "id": "158797" }, { "db": "PACKETSTORM", "id": "158796" }, { "db": "PACKETSTORM", "id": "159275" }, { "db": "PACKETSTORM", "id": "164555" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "id": "VAR-202007-1448", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-186328" } ], "trust": 0.01 }, "last_update_date": "2024-01-21T21:15:51.312000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "CVE-2020-8203 is not modified in /.internal/baseSet.js #4874", "trust": 0.8, "url": "https://github.com/lodash/lodash/issues/4874" }, { "title": "lodash Enter the fix for the verification error vulnerability", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=124909" }, { "title": "Debian CVElist Bug Report Logs: node-lodash: CVE-2020-8203", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=e2a3a37cadf3658ad136a09d0edc4403" }, { "title": "Red Hat: Important: Red Hat Virtualization security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20205611 - security advisory" }, { "title": "Red Hat: Low: Red Hat Virtualization security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20205179 - security advisory" }, { "title": "Red Hat: Moderate: Red Hat Virtualization security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20203807 - security advisory" }, { "title": "Red Hat: Moderate: Red Hat OpenShift Service Mesh security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20203369 - security advisory" }, { "title": "IBM: Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data \u2013 Node.js (CVE-2020-8203)", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=0d7ed837a314c7bb63d61727a6cea7fa" }, { "title": "Red Hat: Moderate: OpenShift Container Platform 4.6.1 image security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20204298 - security advisory" }, { "title": "node-elm-compiler", "trust": 0.1, "url": "https://github.com/rtfeldman/node-elm-compiler " }, { "title": "CloudGuard-ShiftLeft-CICD", "trust": 0.1, "url": "https://github.com/chkp-dhouari/cloudguard-shiftleft-cicd " }, { "title": "CloudGuard-ShiftLeft-CICD-mams", "trust": 0.1, "url": "https://github.com/mamadoudemb/cloudguard-shiftleft-cicd-mams " }, { "title": "shiftleft-cicd-demo", "trust": 0.1, "url": "https://github.com/ecarbon277/shiftleft-cicd-demo " }, { "title": "", "trust": 0.1, "url": "https://github.com/p3sky/cloudguard-shifleft-cicd " }, { "title": "shiftleftv3", "trust": 0.1, "url": "https://github.com/puryersc/shiftleftv3 " }, { "title": "shiftleftv2", "trust": 0.1, "url": "https://github.com/puryersc/shiftleftv2 " }, { "title": "shiftleftv4", "trust": 0.1, "url": "https://github.com/puryersc/shiftleftv4 " }, { "title": "Web-CTF-Cheatsheet", "trust": 0.1, "url": "https://github.com/duckstroms/web-ctf-cheatsheet " } ], "sources": [ { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-1321", "trust": 1.0 }, { "problemtype": "CWE-770", "trust": 0.9 } ], "sources": [ { "db": "VULHUB", "id": "VHN-186328" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://www.oracle.com/security-alerts/cpuapr2021.html" }, { "trust": 2.4, "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "trust": 2.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-8203" }, { "trust": 1.8, "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" }, { "trust": 1.8, "url": "https://github.com/lodash/lodash/issues/4874" }, { "trust": 1.8, "url": "https://hackerone.com/reports/712065" }, { "trust": 1.8, "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8203" }, { "trust": 0.7, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-node-js-cve-2020-8203/" }, { "trust": 0.7, "url": "https://access.redhat.com/security/cve/cve-2020-8203" }, { "trust": 0.7, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.7, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.6, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.4460/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2023.3143" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021072145" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/164555/red-hat-security-advisory-2021-3917-01.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022041931" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3472" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/158797/red-hat-security-advisory-2020-3369-01.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/159275/red-hat-security-advisory-2020-3807-01.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/160589/red-hat-security-advisory-2020-5611-01.html" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-javascript-affects-ibm-license-metric-tool-v9-cve-2020-8203/" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-oss-security-scan-issues-for-concerto-installer/" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-oss-scan-fixes-for-content-pos/" }, { "trust": 0.6, "url": "https://www.oracle.com/security-alerts/cpujul2021.html" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-planning-analytics/" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021042310" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/160209/red-hat-security-advisory-2020-5179-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.3700/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.4180/" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-jquery-spring-dom4j-mongodb-linux-kernel-targetcli-fb-jackson-node-js-and-apache-commons-affect-ibm-spectrum-protect-plus/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.5150" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021072725" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.5790" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.2715/" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/node-js-lodash-privilege-escalation-via-prototype-pollution-33309" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.3255/" }, { "trust": 0.4, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.3, "url": "https://access.redhat.com/articles/2974891" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2020-11023" }, { "trust": 0.3, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2020-9283" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2020-15366" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2020-14040" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2020-11022" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-20922" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#low" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-20920" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2019-20922" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2019-20920" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9283" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11023" }, { "trust": 0.2, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/1321.html" }, { "trust": 0.1, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283" }, { "trust": 0.1, "url": "https://github.com/rtfeldman/node-elm-compiler" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2015-8011" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-8011" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:5611" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8768" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20852" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8535" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-10743" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-15718" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20657" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-19126" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1712" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8518" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12448" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8611" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-6251" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8676" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1549" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-9251" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-17451" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20060" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-19519" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11070" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-7150" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1547" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-7664" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8607" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-12052" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5482" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14973" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8623" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8594" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8690" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20060" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-13752" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8601" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3822" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11324" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-19925" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3823" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-7146" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1010204" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7013" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11324" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11236" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8524" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2016-10739" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18751" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-16890" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5481" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8536" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8686" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8671" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12447" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8544" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-12049" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8571" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-19519" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-15719" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2013-0169" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8677" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5436" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-18624" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8595" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-13753" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8558" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11459" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11358" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12447" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8679" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12795" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20657" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5094" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3844" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-6454" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20852" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12450" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20483" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-14336" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8619" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:4298" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8622" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1010180" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7598" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8681" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3825" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8523" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-18074" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2013-0169" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-6237" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-6706" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20483" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20337" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8673" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8559" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8687" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13822" }, { "trust": 0.1, "url": "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-19923" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-16769" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8672" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11358" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14822" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14404" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8608" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7662" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8615" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12449" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-7665" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8666" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8457" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5953" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8689" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-15847" }, { "trust": 0.1, "url": "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-14498" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8735" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11236" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-19924" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8586" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-12245" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-14404" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8726" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1010204" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8596" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8696" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8610" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-18408" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-13636" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1563" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-16890" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11070" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14498" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-7149" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12450" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-16056" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2016-10739" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-20337" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18074" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11110" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8584" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-19959" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8675" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8563" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-10531" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-13232" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3843" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1010180" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12449" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-10715" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8609" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8587" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-18751" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8506" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18624" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8583" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-9251" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12448" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11008" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11459" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-8597" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:5179" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-14040" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12666" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:3369" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-12666" }, { "trust": 0.1, "url": "https://docs.openshift.com/container-platform/4.5/jaeger/jaeger_install/rhb" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:3370" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:3807" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-14333" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-14333" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11022" }, { "trust": 0.1, "url": "https://issues.jboss.org/):" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-27922" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-1109" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7608" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26237" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-21270" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22924" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25292" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-26237" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-25289" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-25648" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-3728" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-34552" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22922" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-35653" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-37750" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25289" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-35654" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1109" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25648" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-3721" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-23368" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1107" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-3774" }, { "trust": 0.1, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-7608" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2017-16137" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-36222" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-21270" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-23382" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-26291" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-15366" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25291" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-16492" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-27921" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-3774" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-27515" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-1010266" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-35654" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22922" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-27923" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25290" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22923" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-23364" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-16492" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1010266" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-1107" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:3917" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-26291" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-35653" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22924" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-23382" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22923" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2017-16138" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-3728" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-3721" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-27516" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2017-16138" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2017-16137" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25293" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-23364" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-23368" } ], "sources": [ { "db": "VULHUB", "id": "VHN-186328" }, { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "PACKETSTORM", "id": "160589" }, { "db": "PACKETSTORM", "id": "159727" }, { "db": "PACKETSTORM", "id": "160209" }, { "db": "PACKETSTORM", "id": "158797" }, { "db": "PACKETSTORM", "id": "158796" }, { "db": "PACKETSTORM", "id": "159275" }, { "db": "PACKETSTORM", "id": "164555" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-186328" }, { "db": "VULMON", "id": "CVE-2020-8203" }, { "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "db": "PACKETSTORM", "id": "160589" }, { "db": "PACKETSTORM", "id": "159727" }, { "db": "PACKETSTORM", "id": "160209" }, { "db": "PACKETSTORM", "id": "158797" }, { "db": "PACKETSTORM", "id": "158796" }, { "db": "PACKETSTORM", "id": "159275" }, { "db": "PACKETSTORM", "id": "164555" }, { "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "db": "NVD", "id": "CVE-2020-8203" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-07-15T00:00:00", "db": "VULHUB", "id": "VHN-186328" }, { "date": "2020-07-15T00:00:00", "db": "VULMON", "id": "CVE-2020-8203" }, { "date": "2020-09-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "date": "2020-12-17T17:36:24", "db": "PACKETSTORM", "id": "160589" }, { "date": "2020-10-27T16:59:02", "db": "PACKETSTORM", "id": "159727" }, { "date": "2020-11-24T15:30:15", "db": "PACKETSTORM", "id": "160209" }, { "date": "2020-08-07T18:27:30", "db": "PACKETSTORM", "id": "158797" }, { "date": "2020-08-07T18:27:14", "db": "PACKETSTORM", "id": "158796" }, { "date": "2020-09-24T00:30:36", "db": "PACKETSTORM", "id": "159275" }, { "date": "2021-10-19T15:32:20", "db": "PACKETSTORM", "id": "164555" }, { "date": "2020-07-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "date": "2020-07-15T17:15:11.797000", "db": "NVD", "id": "CVE-2020-8203" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-05-12T00:00:00", "db": "VULHUB", "id": "VHN-186328" }, { "date": "2022-05-12T00:00:00", "db": "VULMON", "id": "CVE-2020-8203" }, { "date": "2020-09-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-008656" }, { "date": "2023-06-05T00:00:00", "db": "CNNVD", "id": "CNNVD-202007-1043" }, { "date": "2024-01-21T02:37:13.193000", "db": "NVD", "id": "CVE-2020-8203" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202007-1043" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "lodash Vulnerability in resource allocation without restrictions or throttling in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-008656" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "input validation error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202007-1043" } ], "trust": 0.6 } }