Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-0691
Vulnerability from cvelistv5
Vendor | Product | Version | |
---|---|---|---|
▼ | unshiftio | unshiftio/url-parse |
Version: unspecified < 1.5.9 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:40:03.252Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" }, { "tags": [ "x_transferred" ], "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220325-0006/" }, { "name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "unshiftio/url-parse", "vendor": "unshiftio", "versions": [ { "lessThan": "1.5.9", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9." } ], "metrics": [ { "cvssV3_0": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-23T00:00:00", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev" }, "references": [ { "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" }, { "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63" }, { "url": "https://security.netapp.com/advisory/ntap-20220325-0006/" }, { "name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" } ], "source": { "advisory": "57124ed5-4b68-4934-8325-2c546257f2e4", "discovery": "EXTERNAL" }, "title": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse" } }, "cveMetadata": { "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-0691", "datePublished": "2022-02-21T00:00:00", "dateReserved": "2022-02-20T00:00:00", "dateUpdated": "2024-08-02T23:40:03.252Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-0691\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2022-02-21T09:15:07.297\",\"lastModified\":\"2024-11-21T06:39:11.767\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.\"},{\"lang\":\"es\",\"value\":\"Una Omisi\u00f3n de Autorizaci\u00f3n Mediante la Clave Controlada por el Usuario en NPM url-parse versiones anteriores a 1.5.9\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:url-parse_project:url-parse:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.5.9\",\"matchCriteriaId\":\"96C6953C-4507-42DB-802F-9DD1FE068E8A\"}]}]}],\"references\":[{\"url\":\"https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220325-0006/\",\"source\":\"security@huntr.dev\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20220325-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
WID-SEC-W-2022-1401
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-1401 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1401.json" }, { "category": "self", "summary": "WID-SEC-2022-1401 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1401" }, { "category": "external", "summary": "Debian Security Advisory DLA-3336 vom 2023-02-23", "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" }, { "category": "external", "summary": "Red Hat Security Advisory vom 2022-09-12", "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "source_lang": "en-US", "title": "Red Hat OpenShift (Migration Toolkit for Containers): Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-02-22T23:00:00.000+00:00", "generator": { "date": "2024-02-15T16:58:15.966+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-1401", "initial_release_date": "2022-09-12T22:00:00.000+00:00", "revision_history": [ { "date": "2022-09-12T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-02-22T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Debian aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform Migration Toolkit for Containers \u003c 1.7.4", "product": { "name": "Red Hat OpenShift Container Platform Migration Toolkit for Containers \u003c 1.7.4", "product_id": "T024556", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_migration_toolkit_for_containers__1.7.4" } } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-0512", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0512" }, { "cve": "CVE-2022-0639", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0639" }, { "cve": "CVE-2022-0686", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0686" }, { "cve": "CVE-2022-0691", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0691" } ] }
wid-sec-w-2022-1401
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-1401 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1401.json" }, { "category": "self", "summary": "WID-SEC-2022-1401 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1401" }, { "category": "external", "summary": "Debian Security Advisory DLA-3336 vom 2023-02-23", "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" }, { "category": "external", "summary": "Red Hat Security Advisory vom 2022-09-12", "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "source_lang": "en-US", "title": "Red Hat OpenShift (Migration Toolkit for Containers): Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-02-22T23:00:00.000+00:00", "generator": { "date": "2024-02-15T16:58:15.966+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-1401", "initial_release_date": "2022-09-12T22:00:00.000+00:00", "revision_history": [ { "date": "2022-09-12T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-02-22T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Debian aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform Migration Toolkit for Containers \u003c 1.7.4", "product": { "name": "Red Hat OpenShift Container Platform Migration Toolkit for Containers \u003c 1.7.4", "product_id": "T024556", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_migration_toolkit_for_containers__1.7.4" } } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-0512", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0512" }, { "cve": "CVE-2022-0639", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0639" }, { "cve": "CVE-2022-0686", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0686" }, { "cve": "CVE-2022-0691", "notes": [ { "category": "description", "text": "In Red Hat OpenShift (Migration Toolkit for Containers) existieren mehrere Schwachstellen. Die Fehler bestehen aufgrund mehrerer Autorisierungsumgehungsfehler in nodes-url-parse und url-parse. Ein entfernter anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "2951" ] }, "release_date": "2022-09-12T22:00:00Z", "title": "CVE-2022-0691" } ] }
ghsa-jf5r-8hm2-f872
Vulnerability from github
Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.
If url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.
This can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example: ```js const parse = require('url-parse') const express = require('express') const app = express() const port = 3000
url = parse(\"\bjavascript:alert(1)\")
console.log(url)
app.get('/', (req, res) => { if (url.protocol !== \"javascript:\") {res.send(\"CLICK ME!\")} })
app.listen(port, () => {
console.log(Example app listening on port ${port}
)
})
```
{ "affected": [ { "package": { "ecosystem": "npm", "name": "url-parse" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.5.9" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-0691" ], "database_specific": { "cwe_ids": [ "CWE-639" ], "github_reviewed": true, "github_reviewed_at": "2022-03-01T19:05:20Z", "nvd_published_at": "2022-02-21T09:15:00Z", "severity": "MODERATE" }, "details": "Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL.\n\nIf url-parse is used in security decisions involving the hostname / protocol, and the input URL is used in a client which uses the WHATWG URL parser, the decision may be incorrect.\n\nThis can also lead to a cross-site scripting (XSS) vulnerability if url-parse is used to check for the javascript: protocol in URLs. See following example:\n```js\nconst parse = require(\u0027url-parse\u0027)\nconst express = require(\u0027express\u0027)\nconst app = express()\nconst port = 3000\n\nurl = parse(\\\"\\\\bjavascript:alert(1)\\\")\n\nconsole.log(url)\n\napp.get(\u0027/\u0027, (req, res) =\u003e {\n if (url.protocol !== \\\"javascript:\\\") {res.send(\\\"\u003ca href=\\\\\u0027\\\" + url.href + \\\"\\\\\u0027\u003eCLICK ME!\u003c/a\u003e\\\")}\n })\n\napp.listen(port, () =\u003e {\n console.log(`Example app listening on port ${port}`)\n })\n```", "id": "GHSA-jf5r-8hm2-f872", "modified": "2023-09-11T22:57:14Z", "published": "2022-02-22T00:00:30Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0691" }, { "type": "WEB", "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63" }, { "type": "PACKAGE", "url": "https://github.com/unshiftio/url-parse" }, { "type": "WEB", "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220325-0006" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "url-parse incorrectly parses hostname / protocol due to unstripped leading control characters." }
rhsa-2022_6429
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "The Migration Toolkit for Containers (MTC) 1.7.4 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es):\n\n* nodejs-url-parse: authorization bypass through user-controlled key (CVE-2022-0512)\n\n* npm-url-parse: Authorization bypass through user-controlled key (CVE-2022-0686)\n\n* npm-url-parse: authorization bypass through user-controlled key (CVE-2022-0691)\n\n* eventsource: Exposure of Sensitive Information (CVE-2022-1650)\n\n* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500)\n\n* nodejs-lodash: command injection via template (CVE-2021-23337)\n\n* npm-url-parse: Authorization Bypass Through User-Controlled Key (CVE-2022-0639)\n\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:6429", "url": "https://access.redhat.com/errata/RHSA-2022:6429" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1928937", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928937" }, { "category": "external", "summary": "1928954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928954" }, { "category": "external", "summary": "2054663", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054663" }, { "category": "external", "summary": "2057442", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2057442" }, { "category": "external", "summary": "2060018", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060018" }, { "category": "external", "summary": "2060020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060020" }, { "category": "external", "summary": "2085307", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307" }, { "category": "external", "summary": "2107342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6429.json" } ], "title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update", "tracking": { "current_release_date": "2024-12-17T22:03:22+00:00", "generator": { "date": "2024-12-17T22:03:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:6429", "initial_release_date": "2022-09-13T00:58:09+00:00", "revision_history": [ { "date": "2022-09-13T00:58:09+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-09-13T00:58:09+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:03:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "8Base-RHMTC-1.7", "product": { "name": "8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhmt:1.7::el8" } } } ], "category": "product_family", "name": "Red Hat Migration Toolkit" }, { "branches": [ { "category": "product_version", "name": "rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "product": { "name": "rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.7.4-7" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "product": { "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.7.4-8" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "product": { "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "product_id": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-legacy-rhel8-operator\u0026tag=v1.7.4-17" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "product": { "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "product": { "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.7.4-7" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "product": { "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.7.4-7" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "product": { "name": "rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.7.4-15" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "product": { "name": "rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "product_id": "rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.7.4-14" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "product": { "name": "rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.7.4-7" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "product": { "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.7.4-7" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "product": { "name": "rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.7.4-12" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "product": { "name": "rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "product_id": "rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-aws-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "product": { "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "product_id": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-restic-restore-helper-rhel8\u0026tag=v1.7.4-6" } } }, { "category": "product_version", "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64", "product": { "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64", "product_id": "rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-velero-plugin-rhel8\u0026tag=v1.7.4-6" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64" }, "product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64" }, "product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64" }, "product_reference": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64" }, "product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64" }, "product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64" }, "product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64" }, "product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64" }, "product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64" }, "product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64" }, "product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" }, "product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" }, "product_reference": "rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-28500", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1928954" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nWhile Red Hat Virtualization\u0027s cockpit-ovirt has a dependency on lodash it doesn\u0027t use the vulnerable toNumber, trim, or trimEnd functions.\n\nWhile Red Hat Quay has a dependency on lodash via restangular it doesn\u0027t use the vulnerable toNumber, trim, or trimEnd functions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-28500" }, { "category": "external", "summary": "RHBZ#1928954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928954" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-28500", "url": "https://www.cve.org/CVERecord?id=CVE-2020-28500" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" } ], "release_date": "2021-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions" }, { "cve": "CVE-2021-23337", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)" }, "discovery_date": "2021-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1928937" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: command injection via template", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nWhile Red Hat Virtualization\u0027s cockpit-ovirt has a dependency on lodash it doesn\u0027t use the vulnerable template function.\n\nWhile Red Hat Quay has a dependency on lodash via restangular it doesn\u0027t use the vulnerable template function.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23337" }, { "category": "external", "summary": "RHBZ#1928937", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928937" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23337", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" } ], "release_date": "2021-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-lodash: command injection via template" }, { "cve": "CVE-2022-0512", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "discovery_date": "2022-02-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2054663" } ], "notes": [ { "category": "description", "text": "An authorization bypass vulnerability was found in nodes-url-parse. This flaw allows a remote attacker with a basic user account to evade hostname verification by inserting the at symbol \"@\" at the end of the password field. This issue can allow entry to systems designed to block remote access and may not have additional defenses.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-url-parse: authorization bypass through user-controlled key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0512" }, { "category": "external", "summary": "RHBZ#2054663", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054663" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0512", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0512" } ], "release_date": "2022-01-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-url-parse: authorization bypass through user-controlled key" }, { "cve": "CVE-2022-0639", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "discovery_date": "2022-02-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2057442" } ], "notes": [ { "category": "description", "text": "An authorization bypass flaw was found in url-parse. This flaw allows a local unauthenticated attacker to add an at symbol (@) while submitting a URL. This issue enables the bypass of validation or block-listing restrictions.", "title": "Vulnerability description" }, { "category": "summary", "text": "npm-url-parse: Authorization Bypass Through User-Controlled Key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0639" }, { "category": "external", "summary": "RHBZ#2057442", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2057442" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0639", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0639" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0639", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0639" } ], "release_date": "2022-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "npm-url-parse: Authorization Bypass Through User-Controlled Key" }, { "cve": "CVE-2022-0686", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "discovery_date": "2022-02-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2060018" } ], "notes": [ { "category": "description", "text": "An authorization bypass flaw was found in url-parse. While submitting a URL, a local unauthenticated attacker can add a trailing colon (:), but omit the port number. This issue enables an open redirect that allows the exposure of sensitive information or spamming of infrastructure outside the vulnerable server.", "title": "Vulnerability description" }, { "category": "summary", "text": "npm-url-parse: Authorization bypass through user-controlled key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0686" }, { "category": "external", "summary": "RHBZ#2060018", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060018" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0686", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0686" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0686", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0686" } ], "release_date": "2022-02-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "npm-url-parse: Authorization bypass through user-controlled key" }, { "cve": "CVE-2022-0691", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "discovery_date": "2022-02-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2060020" } ], "notes": [ { "category": "description", "text": "An authorization bypass flaw was found in url-parse. This flaw allows a local unauthenticated attacker to add a backspace character (\\b) while submitting a URL. This vulnerability can enable bypassing any hostname checks.", "title": "Vulnerability description" }, { "category": "summary", "text": "npm-url-parse: authorization bypass through user-controlled key", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0691" }, { "category": "external", "summary": "RHBZ#2060020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060020" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0691", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0691" } ], "release_date": "2022-02-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "npm-url-parse: authorization bypass through user-controlled key" }, { "cve": "CVE-2022-1650", "cwe": { "id": "CWE-359", "name": "Exposure of Private Personal Information to an Unauthorized Actor" }, "discovery_date": "2022-05-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2085307" } ], "notes": [ { "category": "description", "text": "A flaw was found in the EventSource NPM Package. The description from the source states the following message: \"Exposure of Sensitive Information to an Unauthorized Actor.\" This flaw allows an attacker to steal the user\u0027s credentials and then use the credentials to access the legitimate website.", "title": "Vulnerability description" }, { "category": "summary", "text": "eventsource: Exposure of Sensitive Information", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1650" }, { "category": "external", "summary": "RHBZ#2085307", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1650", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1650" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650" }, { "category": "external", "summary": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e", "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e" } ], "release_date": "2022-05-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "eventsource: Exposure of Sensitive Information" }, { "cve": "CVE-2022-30631", "cwe": { "id": "CWE-1325", "name": "Improperly Controlled Sequential Memory Allocation" }, "discovery_date": "2022-07-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2107342" } ], "notes": [ { "category": "description", "text": "A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: compress/gzip: stack exhaustion in Reader.Read", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30631" }, { "category": "external", "summary": "RHBZ#2107342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30631", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30631" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30631" }, { "category": "external", "summary": "https://go.dev/issue/53168", "url": "https://go.dev/issue/53168" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "release_date": "2022-07-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-09-13T00:58:09+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:6429" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:f7a1f30c7c41d792b0e10a08a70e838bd362db24eb80143276ae571f2476dad6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:c786337243812d9fa8ea8f24532e43b82154d6d14bcdc8b3171b1156c0e7372e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:745e4c70067a4d9a4bdc300fa8cfe1809383a8a0f61d86c6c91f00d275c129b6_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:4fe298bde2e47e70c410c7256c996c69e961c80ca541b1f38f409c95050ce52e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:7eb8ceb9aa809e44a7c4aca7449c06ead2550855e0d1a924228acd1498af59f7_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:e2fbf4416b52c5a9fb9c7a9c5f5ed4f865e50114ab2241b3352dff018710a467_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:3f7f986af79180370ff64404595adcf2852afc6bdf9405aad19095d539096c36_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:0c476ff9c1bb0bb6afe5d93274d2ffa8f69eb93f1f240de2c0fe9c666f6c225f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:0d8367d8e3d2babac920199a90aa93bc6c1de0f90ab0fbbef7c7b19df2556c18_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cf62dcc9b9a81bc3a7b13bb302f13ae891327e78f253a3eb7ee696911ab38561_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:7a64556b6cb9e84635f06bd0ec2c6294302229c53f4fb7d34f5e941ca84712ad_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:640a1c9bed3a04580cd47233d643d4c394a904be900698f6fa2d2a78223504f8_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:afe5e71a36eba86c80351bf442cb8bfa58f494eda9757e7efc1db1229db55c7a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:dc25cf4cbda5e0087f30be64e5530c02d235ddc80ea13a0e867fe75874080242_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:f9bd87d58290e5f3761d44a9cb1da6c91fcd1ad0a11a8a62b59035d9d201eaf2_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:d9541b848e089cebc07bf69facedcedee470268ba9a7afd28644f797bfbae8a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:016aed43d06aff0c2beb7f47fa45982118c2f039693bcfd7fb94f4ba88eb845a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: compress/gzip: stack exhaustion in Reader.Read" } ] }
gsd-2022-0691
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2022-0691", "description": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.", "id": "GSD-2022-0691", "references": [ "https://access.redhat.com/errata/RHSA-2022:6429" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-0691" ], "details": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.", "id": "GSD-2022-0691", "modified": "2023-12-13T01:19:11.630917Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0691", "STATE": "PUBLIC", "TITLE": "Authorization Bypass Through User-Controlled Key in unshiftio/url-parse" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "unshiftio/url-parse", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.5.9" } ] } } ] }, "vendor_name": "unshiftio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-639 Authorization Bypass Through User-Controlled Key" } ] } ] }, "references": { "reference_data": [ { "name": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" }, { "name": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63", "refsource": "MISC", "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63" }, { "name": "https://security.netapp.com/advisory/ntap-20220325-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0006/" }, { "name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" } ] }, "source": { "advisory": "57124ed5-4b68-4934-8325-2c546257f2e4", "discovery": "EXTERNAL" } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c1.5.9", "affected_versions": "All versions before 1.5.9", "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-639", "CWE-937" ], "date": "2023-02-23", "description": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.", "fixed_versions": [ "1.5.9" ], "identifier": "CVE-2022-0691", "identifiers": [ "CVE-2022-0691" ], "not_impacted": "All versions starting from 1.5.9", "package_slug": "npm/url-parse", "pubdate": "2022-02-21", "solution": "Upgrade to version 1.5.9 or above.", "title": "Authorization Bypass Through User-Controlled Key", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-0691", "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63", "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" ], "uuid": "86ced27e-eddb-4c03-ab44-6297a9ad95c4" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:url-parse_project:url-parse:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "1.5.9", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0691" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-639" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63" }, { "name": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4", "refsource": "CONFIRM", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4" }, { "name": "https://security.netapp.com/advisory/ntap-20220325-0006/", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://security.netapp.com/advisory/ntap-20220325-0006/" }, { "name": "[debian-lts-announce] 20230223 [SECURITY] [DLA 3336-1] node-url-parse security update", "refsource": "MLIST", "tags": [], "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00030.html" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9 } }, "lastModifiedDate": "2023-02-23T03:15Z", "publishedDate": "2022-02-21T09:15Z" } } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.