Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-23820
Vulnerability from cvelistv5
Published
2021-11-03 17:20
Modified
2024-09-16 16:14
Severity ?
EPSS score ?
Summary
This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| report@snyk.io | https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78 | Third Party Advisory | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686 | Exploit, Mitigation, Patch, Third Party Advisory, VDB Entry | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287 | Exploit, Mitigation, Patch, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686 | Exploit, Mitigation, Patch, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287 | Exploit, Mitigation, Patch, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | json-pointer |
Version: 0 < unspecified |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "json-pointer",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2021-11-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-03T17:20:10",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
}
],
"title": "Prototype Pollution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-11-03T17:19:55.269449Z",
"ID": "CVE-2021-23820",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "json-pointer",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686"
},
{
"name": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78",
"refsource": "MISC",
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23820",
"datePublished": "2021-11-03T17:20:10.614623Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T16:14:13.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jsonpointer_project:jsonpointer:-:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"022D6B15-C334-4816-B768-08157B45EFF1\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.\"}, {\"lang\": \"es\", \"value\": \"Esto afecta a todas las versiones del paquete json-pointer. Una vulnerabilidad de confusi\\u00f3n de tipo puede conllevar a una omisi\\u00f3n de CVE-2020-7709 cuando los componentes del puntero son matrices\"}]",
"id": "CVE-2021-23820",
"lastModified": "2024-11-21T05:51:54.017",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 5.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-11-03T18:15:08.287",
"references": "[{\"url\": \"https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78\", \"source\": \"report@snyk.io\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Patch\", \"Third Party Advisory\", \"VDB Entry\"]}]",
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-843\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-23820\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2021-11-03T18:15:08.287\",\"lastModified\":\"2024-11-21T05:51:54.017\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.\"},{\"lang\":\"es\",\"value\":\"Esto afecta a todas las versiones del paquete json-pointer. Una vulnerabilidad de confusi\u00f3n de tipo puede conllevar a una omisi\u00f3n de CVE-2020-7709 cuando los componentes del puntero son matrices\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-843\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jsonpointer_project:jsonpointer:-:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"022D6B15-C334-4816-B768-08157B45EFF1\"}]}]}],\"references\":[{\"url\":\"https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
}
}
gsd-2021-23820
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-23820",
"description": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"id": "GSD-2021-23820",
"references": [
"https://access.redhat.com/errata/RHSA-2022:4880"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-23820"
],
"details": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"id": "GSD-2021-23820",
"modified": "2023-12-13T01:23:30.272926Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-11-03T17:19:55.269449Z",
"ID": "CVE-2021-23820",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "json-pointer",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686"
},
{
"name": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78",
"refsource": "MISC",
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=0.6.1",
"affected_versions": "All versions up to 0.6.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-843",
"CWE-937"
],
"date": "2021-11-05",
"description": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"fixed_versions": [],
"identifier": "CVE-2021-23820",
"identifiers": [
"CVE-2021-23820",
"GHSA-v5vg-g7rq-363w"
],
"not_impacted": "",
"package_slug": "npm/json-pointer",
"pubdate": "2021-11-03",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"urls": [
"https://github.com/advisories/GHSA-v5vg-g7rq-363w"
],
"uuid": "624e896a-3f23-46ec-a96e-fccdcc60c5a4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jsonpointer_project:jsonpointer:-:*:*:*:*:node.js:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2021-23820"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-843"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"refsource": "MISC",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686",
"refsource": "MISC",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910686"
},
{
"name": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-11-05T17:31Z",
"publishedDate": "2021-11-03T18:15Z"
}
}
}
rhsa-2022:4880
Vulnerability from csaf_redhat
Published
2022-06-02 02:06
Modified
2024-11-22 19:21
Summary
Red Hat Security Advisory: ACS 3.70 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes bug fixes and feature
improvements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
New features and enhancements
1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation.
2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes.
3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called "Alert on missing ingress Network Policy." To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.
4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.
5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.
6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.
7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.
Notable technical changes
1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)
Deprecated Features:
- Ability to add comments to alerts and processes
- Anchore, Tenable, and Docker Trusted registry integrations
- External authorization plug-in for scoped access control
- FROM option in the Disallowed Dockerfile line policy field
- RenamePolicyCategory and DeletePolicyCategory API endpoints
- --rhacs option for the roxctl helm output command
Removed Features:
- Ability to delete default policies
- Security policies without a policyVersion
- /v1/policies API endpoint response: field response body parameter
Security Fixes:
* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)
* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS). The updated image includes bug fixes and feature\nimprovements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "New features and enhancements\n\n1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation. \n\n2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes\u0027 Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes. \n\n3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called \"Alert on missing ingress Network Policy.\" To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.\n\n4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.\n\n5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.\n\n6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.\n\n7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.\n\nNotable technical changes\n\n1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)\n\nDeprecated Features:\n\n- Ability to add comments to alerts and processes\n- Anchore, Tenable, and Docker Trusted registry integrations\n- External authorization plug-in for scoped access control\n- FROM option in the Disallowed Dockerfile line policy field\n- RenamePolicyCategory and DeletePolicyCategory API endpoints\n- --rhacs option for the roxctl helm output command\n\nRemoved Features:\n\n- Ability to delete default policies\n- Security policies without a policyVersion\n- /v1/policies API endpoint response: field response body parameter\n\nSecurity Fixes:\n\n* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4880",
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html",
"url": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html"
},
{
"category": "external",
"summary": "2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "ROX-11147",
"url": "https://issues.redhat.com/browse/ROX-11147"
},
{
"category": "external",
"summary": "ROX-9625",
"url": "https://issues.redhat.com/browse/ROX-9625"
},
{
"category": "external",
"summary": "ROX-9902",
"url": "https://issues.redhat.com/browse/ROX-9902"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4880.json"
}
],
"title": "Red Hat Security Advisory: ACS 3.70 enhancement and security update",
"tracking": {
"current_release_date": "2024-11-22T19:21:22+00:00",
"generator": {
"date": "2024-11-22T19:21:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:4880",
"initial_release_date": "2022-06-02T02:06:42+00:00",
"revision_history": [
{
"date": "2022-06-02T02:06:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-02T02:06:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:21:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.70 for RHEL 8",
"product": {
"name": "RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.70::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.70.0-9"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.70.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.70.0-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23820",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2020369"
}
],
"notes": [
{
"category": "description",
"text": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23820"
},
{
"category": "external",
"summary": "RHBZ#2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23820",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23820"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays"
},
{
"cve": "CVE-2021-41190",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2021-11-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024938"
}
],
"notes": [
{
"category": "description",
"text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "opencontainers: OCI manifest and index parsing confusion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As a consequence of the OCI Image Specification (and OCI Distribution Specification [1]), container runtime engines (like containerd, moby - Docker Engine, cri-o) deliver updates to adopt new `mediaType` field used for identification of the document type. Even though some Red Hat products rely on container engine, the impact by this issue is LOW.\n\n[1] https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-41190"
},
{
"category": "external",
"summary": "RHBZ#2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190"
},
{
"category": "external",
"summary": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42",
"url": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh",
"url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
}
],
"release_date": "2021-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "opencontainers: OCI manifest and index parsing confusion"
}
]
}
RHSA-2022:4880
Vulnerability from csaf_redhat
Published
2022-06-02 02:06
Modified
2024-11-22 19:21
Summary
Red Hat Security Advisory: ACS 3.70 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes bug fixes and feature
improvements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
New features and enhancements
1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation.
2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes.
3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called "Alert on missing ingress Network Policy." To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.
4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.
5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.
6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.
7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.
Notable technical changes
1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)
Deprecated Features:
- Ability to add comments to alerts and processes
- Anchore, Tenable, and Docker Trusted registry integrations
- External authorization plug-in for scoped access control
- FROM option in the Disallowed Dockerfile line policy field
- RenamePolicyCategory and DeletePolicyCategory API endpoints
- --rhacs option for the roxctl helm output command
Removed Features:
- Ability to delete default policies
- Security policies without a policyVersion
- /v1/policies API endpoint response: field response body parameter
Security Fixes:
* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)
* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS). The updated image includes bug fixes and feature\nimprovements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "New features and enhancements\n\n1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation. \n\n2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes\u0027 Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes. \n\n3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called \"Alert on missing ingress Network Policy.\" To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.\n\n4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.\n\n5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.\n\n6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.\n\n7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.\n\nNotable technical changes\n\n1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)\n\nDeprecated Features:\n\n- Ability to add comments to alerts and processes\n- Anchore, Tenable, and Docker Trusted registry integrations\n- External authorization plug-in for scoped access control\n- FROM option in the Disallowed Dockerfile line policy field\n- RenamePolicyCategory and DeletePolicyCategory API endpoints\n- --rhacs option for the roxctl helm output command\n\nRemoved Features:\n\n- Ability to delete default policies\n- Security policies without a policyVersion\n- /v1/policies API endpoint response: field response body parameter\n\nSecurity Fixes:\n\n* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4880",
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html",
"url": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html"
},
{
"category": "external",
"summary": "2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "ROX-11147",
"url": "https://issues.redhat.com/browse/ROX-11147"
},
{
"category": "external",
"summary": "ROX-9625",
"url": "https://issues.redhat.com/browse/ROX-9625"
},
{
"category": "external",
"summary": "ROX-9902",
"url": "https://issues.redhat.com/browse/ROX-9902"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4880.json"
}
],
"title": "Red Hat Security Advisory: ACS 3.70 enhancement and security update",
"tracking": {
"current_release_date": "2024-11-22T19:21:22+00:00",
"generator": {
"date": "2024-11-22T19:21:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:4880",
"initial_release_date": "2022-06-02T02:06:42+00:00",
"revision_history": [
{
"date": "2022-06-02T02:06:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-02T02:06:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:21:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.70 for RHEL 8",
"product": {
"name": "RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.70::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.70.0-9"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.70.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.70.0-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23820",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2020369"
}
],
"notes": [
{
"category": "description",
"text": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23820"
},
{
"category": "external",
"summary": "RHBZ#2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23820",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23820"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays"
},
{
"cve": "CVE-2021-41190",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2021-11-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024938"
}
],
"notes": [
{
"category": "description",
"text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "opencontainers: OCI manifest and index parsing confusion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As a consequence of the OCI Image Specification (and OCI Distribution Specification [1]), container runtime engines (like containerd, moby - Docker Engine, cri-o) deliver updates to adopt new `mediaType` field used for identification of the document type. Even though some Red Hat products rely on container engine, the impact by this issue is LOW.\n\n[1] https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-41190"
},
{
"category": "external",
"summary": "RHBZ#2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190"
},
{
"category": "external",
"summary": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42",
"url": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh",
"url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
}
],
"release_date": "2021-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "opencontainers: OCI manifest and index parsing confusion"
}
]
}
rhsa-2022_4880
Vulnerability from csaf_redhat
Published
2022-06-02 02:06
Modified
2024-11-22 19:21
Summary
Red Hat Security Advisory: ACS 3.70 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes bug fixes and feature
improvements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
New features and enhancements
1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation.
2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes.
3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called "Alert on missing ingress Network Policy." To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.
4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.
5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.
6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.
7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.
Notable technical changes
1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)
Deprecated Features:
- Ability to add comments to alerts and processes
- Anchore, Tenable, and Docker Trusted registry integrations
- External authorization plug-in for scoped access control
- FROM option in the Disallowed Dockerfile line policy field
- RenamePolicyCategory and DeletePolicyCategory API endpoints
- --rhacs option for the roxctl helm output command
Removed Features:
- Ability to delete default policies
- Security policies without a policyVersion
- /v1/policies API endpoint response: field response body parameter
Security Fixes:
* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)
* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS). The updated image includes bug fixes and feature\nimprovements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "New features and enhancements\n\n1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation. \n\n2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes\u0027 Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes. \n\n3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called \"Alert on missing ingress Network Policy.\" To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.\n\n4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.\n\n5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.\n\n6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.\n\n7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.\n\nNotable technical changes\n\n1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)\n\nDeprecated Features:\n\n- Ability to add comments to alerts and processes\n- Anchore, Tenable, and Docker Trusted registry integrations\n- External authorization plug-in for scoped access control\n- FROM option in the Disallowed Dockerfile line policy field\n- RenamePolicyCategory and DeletePolicyCategory API endpoints\n- --rhacs option for the roxctl helm output command\n\nRemoved Features:\n\n- Ability to delete default policies\n- Security policies without a policyVersion\n- /v1/policies API endpoint response: field response body parameter\n\nSecurity Fixes:\n\n* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4880",
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html",
"url": "https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html"
},
{
"category": "external",
"summary": "2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "ROX-11147",
"url": "https://issues.redhat.com/browse/ROX-11147"
},
{
"category": "external",
"summary": "ROX-9625",
"url": "https://issues.redhat.com/browse/ROX-9625"
},
{
"category": "external",
"summary": "ROX-9902",
"url": "https://issues.redhat.com/browse/ROX-9902"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4880.json"
}
],
"title": "Red Hat Security Advisory: ACS 3.70 enhancement and security update",
"tracking": {
"current_release_date": "2024-11-22T19:21:22+00:00",
"generator": {
"date": "2024-11-22T19:21:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:4880",
"initial_release_date": "2022-06-02T02:06:42+00:00",
"revision_history": [
{
"date": "2022-06-02T02:06:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-02T02:06:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:21:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.70 for RHEL 8",
"product": {
"name": "RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.70::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.70.0-9"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.70.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.70.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.70.0-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64 as a component of RHACS 3.70 for RHEL 8",
"product_id": "8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64",
"relates_to_product_reference": "8Base-RHACS-3.70"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23820",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2021-11-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2020369"
}
],
"notes": [
{
"category": "description",
"text": "This affects all versions of package json-pointer. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23820"
},
{
"category": "external",
"summary": "RHBZ#2020369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020369"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23820",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23820"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays"
},
{
"cve": "CVE-2021-41190",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2021-11-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2024938"
}
],
"notes": [
{
"category": "description",
"text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "opencontainers: OCI manifest and index parsing confusion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As a consequence of the OCI Image Specification (and OCI Distribution Specification [1]), container runtime engines (like containerd, moby - Docker Engine, cri-o) deliver updates to adopt new `mediaType` field used for identification of the document type. Even though some Red Hat products rely on container engine, the impact by this issue is LOW.\n\n[1] https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:c903a935371814d3f8b86b01b7e346af1aef0ae6fb0eed3884f45af59957b6c0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-operator-bundle@sha256:105c401ebff454bda17a6c5385ded057f09443766d9f87eae7f11ee9a62a08c1_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:38d92c706f6f943cdf9d09aa73000cfbda67d8211219fa2ba9ec228f044c58c5_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:5f44800ac3dd935b6e2ac1ec8397caa1e5dc4bab7b14c2622ff100344e127231_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-rhel8@sha256:e68392b3fccf9f5c3a0e3c392b72e254e6b2c2e86b6d2e297db1f6de3d5e853a_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aae22d1e68e8d01094d0d7165914d7ed9fe476b13e9cc8f857f165385c489587_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-41190"
},
{
"category": "external",
"summary": "RHBZ#2024938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190"
},
{
"category": "external",
"summary": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42",
"url": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"category": "external",
"summary": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh",
"url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
}
],
"release_date": "2021-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-02T02:06:42+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.70 you are advised to upgrade to RHACS 3.70.0.",
"product_ids": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-collector-rhel8@sha256:84d915c50ec190cbc5e718610437dbdd348e0a2e680f9d6c1a66cf181c5c4304_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-docs-rhel8@sha256:dbbff8976b1a1648be50cb562a4d441d278bb79438e7b31758f161b8679e4ee0_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-main-rhel8@sha256:2473ebee564f2915fb58029aabd8437f91e7222e1b145c672ed72df3e319bb02_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-rhel8-operator@sha256:eeaa588e8d35639aca4a3d442808245284e37ff51d04e24ad9e57b041cdfa498_amd64",
"8Base-RHACS-3.70:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:4ba4c3b42b92dd8cb72c4e30167db269747f391332a8b0802680e56d44a00599_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "opencontainers: OCI manifest and index parsing confusion"
}
]
}
ghsa-v5vg-g7rq-363w
Vulnerability from github
Published
2021-11-08 17:40
Modified
2022-07-15 20:23
Severity ?
Summary
Prototype Pollution in json-pointer
Details
This affects versions of package json-pointer up to and including 0.6.1. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.1"
},
"package": {
"ecosystem": "npm",
"name": "json-pointer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23820"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-04T16:55:47Z",
"nvd_published_at": "2021-11-03T18:15:00Z",
"severity": "MODERATE"
},
"details": "This affects versions of package `json-pointer` up to and including `0.6.1`. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays.",
"id": "GHSA-v5vg-g7rq-363w",
"modified": "2022-07-15T20:23:13Z",
"published": "2021-11-08T17:40:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23820"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/pull/36"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/commit/931b0f9c7178ca09778087b4b0ac7e4f505620c2"
},
{
"type": "PACKAGE",
"url": "https://github.com/manuelstofer/json-pointer"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/blob/master/index.js%23L78"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in json-pointer"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.