Vulnerability-Lookup

CVE-2022-21654 (GCVE-0-2022-21654)

Vulnerability from cvelistv5 – Published: 2022-02-22 22:35 – Updated: 2025-04-23 19:01

Title

Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

Summary

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/envoyproxy/envoy/security/advi…	x_refsource_CONFIRM
https://github.com/envoyproxy/envoy/commit/e9f936…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
envoyproxy	envoy	Affected: >= 1.7.0, < 1.18.6 Affected: >= 1.19.0, < 1.19.3 Affected: >= 1.20.0, < 1.20.2 Affected: >= 1.21.0, < 1.21.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.224Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:55:41.314206Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:01:27.096Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "envoy",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.18.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.19.0, \u003c 1.19.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.20.0, \u003c 1.20.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.21.0, \u003c 1.21.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-22T22:35:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"
        }
      ],
      "source": {
        "advisory": "GHSA-5j4x-g36v-m283",
        "discovery": "UNKNOWN"
      },
      "title": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21654",
          "STATE": "PUBLIC",
          "TITLE": "Incorrect configuration handling allows TLS session re-use without re-validation in Envoy"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "envoy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.7.0, \u003c 1.18.6"
                          },
                          {
                            "version_value": "\u003e= 1.19.0, \u003c 1.19.3"
                          },
                          {
                            "version_value": "\u003e= 1.20.0, \u003c 1.20.2"
                          },
                          {
                            "version_value": "\u003e= 1.21.0, \u003c 1.21.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "envoyproxy"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295: Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283",
              "refsource": "CONFIRM",
              "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283"
            },
            {
              "name": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353",
              "refsource": "MISC",
              "url": "https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-5j4x-g36v-m283",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21654",
    "datePublished": "2022-02-22T22:35:11.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:01:27.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-21654",
      "date": "2026-06-07",
      "epss": "0.0006",
      "percentile": "0.18969"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.7.0\", \"versionEndExcluding\": \"1.18.6\", \"matchCriteriaId\": \"62EFF3F2-C20D-497C-ADEC-9FF2FD141466\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.19.0\", \"versionEndExcluding\": \"1.19.3\", \"matchCriteriaId\": \"2812AC62-44B5-4077-862D-A221CD88981D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.20.0\", \"versionEndExcluding\": \"1.20.2\", \"matchCriteriaId\": \"F5441B2D-F807-4ED9-AFB9-ED4DE07CE5F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.21.0\", \"versionEndExcluding\": \"1.21.1\", \"matchCriteriaId\": \"83895D03-DAD1-4893-8A1C-F9143DEEC172\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.\"}, {\"lang\": \"es\", \"value\": \"Envoy es un proxy de borde y servicio de c\\u00f3digo abierto, dise\\u00f1ado para aplicaciones nativas de la nube. El tls de Envoy permite la reutilizaci\\u00f3n cuando algunos ajustes de validaci\\u00f3n de cert han cambiado de su configuraci\\u00f3n por defecto. La \\u00fanica medida de mitigaci\\u00f3n para este problema es asegurarse de que es usada la configuraci\\u00f3n tls por defecto. Es recomendado a usuarios actualizar\"}]",
      "id": "CVE-2022-21654",
      "lastModified": "2024-11-21T06:45:09.843",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-02-22T23:15:11.103",
      "references": "[{\"url\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-21654\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-02-22T23:15:11.103\",\"lastModified\":\"2024-11-21T06:45:09.843\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.\"},{\"lang\":\"es\",\"value\":\"Envoy es un proxy de borde y servicio de c\u00f3digo abierto, dise\u00f1ado para aplicaciones nativas de la nube. El tls de Envoy permite la reutilizaci\u00f3n cuando algunos ajustes de validaci\u00f3n de cert han cambiado de su configuraci\u00f3n por defecto. La \u00fanica medida de mitigaci\u00f3n para este problema es asegurarse de que es usada la configuraci\u00f3n tls por defecto. Es recomendado a usuarios actualizar\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.0\",\"versionEndExcluding\":\"1.18.6\",\"matchCriteriaId\":\"62EFF3F2-C20D-497C-ADEC-9FF2FD141466\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.19.0\",\"versionEndExcluding\":\"1.19.3\",\"matchCriteriaId\":\"2812AC62-44B5-4077-862D-A221CD88981D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.20.0\",\"versionEndExcluding\":\"1.20.2\",\"matchCriteriaId\":\"F5441B2D-F807-4ED9-AFB9-ED4DE07CE5F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.21.0\",\"versionEndExcluding\":\"1.21.1\",\"matchCriteriaId\":\"83895D03-DAD1-4893-8A1C-F9143DEEC172\"}]}]}],\"references\":[{\"url\":\"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T02:46:39.224Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-21654\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:55:41.314206Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:55:43.079Z\"}}], \"cna\": {\"title\": \"Incorrect configuration handling allows TLS session re-use without re-validation in Envoy\", \"source\": {\"advisory\": \"GHSA-5j4x-g36v-m283\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"envoyproxy\", \"product\": \"envoy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.7.0, \u003c 1.18.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.19.0, \u003c 1.19.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.20.0, \u003c 1.20.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.21.0, \u003c 1.21.1\"}]}], \"references\": [{\"url\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-02-22T22:35:11.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-5j4x-g36v-m283\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 1.7.0, \u003c 1.18.6\"}, {\"version_value\": \"\u003e= 1.19.0, \u003c 1.19.3\"}, {\"version_value\": \"\u003e= 1.20.0, \u003c 1.20.2\"}, {\"version_value\": \"\u003e= 1.21.0, \u003c 1.21.1\"}]}, \"product_name\": \"envoy\"}]}, \"vendor_name\": \"envoyproxy\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"name\": \"https://github.com/envoyproxy/envoy/security/advisories/GHSA-5j4x-g36v-m283\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"name\": \"https://github.com/envoyproxy/envoy/commit/e9f936d85dc1edc34fabd0a1725ec180f2316353\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy\u0027s tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-295: Improper Certificate Validation\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-21654\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Incorrect configuration handling allows TLS session re-use without re-validation in Envoy\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-21654\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T19:01:27.096Z\", \"dateReserved\": \"2021-11-16T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-02-22T22:35:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

WID-SEC-W-2022-0970

Vulnerability from csaf_certbund - Published: 2022-04-07 22:00 - Updated: 2024-05-21 22:00

Summary

Red Hat OpenShift: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.

Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsmaßnahmen zu umgehen.

Betroffene Betriebssysteme: - Sonstiges

CVE-2020-28851

In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsmaßnahmen zu umgehen.

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2020-28852

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-29482

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-29923

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-3121

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-36221

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-3749

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-43565

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-43824

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-43825

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2021-43826

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2022-21654

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2022-21655

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2022-23606

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2022-23635

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

CVE-2022-24726

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat OpenShift Container Platform 4 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_4`	Container Platform 4

References

14 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2022:4668	external
https://access.redhat.com/errata/RHSA-2022:1275	external
https://access.redhat.com/errata/RHSA-2022:1276	external
https://access.redhat.com/errata/RHSA-2022:1679	external
https://linux.oracle.com/errata/ELSA-2022-9362.html	external
https://security.gentoo.org/glsa/202208-02	external
https://linux.oracle.com/errata/ELSA-2022-7129.html	external
https://access.redhat.com/errata/RHSA-2022:7129	external
https://access.redhat.com/errata/RHSA-2022:7457	external
https://access.redhat.com/errata/RHSA-2022:7954	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2303.html	external
https://access.redhat.com/errata/RHSA-2024:2944	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0970 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0970.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0970 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0970"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:4668 vom 2022-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2022:4668"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2022-04-07",
        "url": "https://access.redhat.com/errata/RHSA-2022:1275"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2022-04-07",
        "url": "https://access.redhat.com/errata/RHSA-2022:1276"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1679 vom 2022-05-10",
        "url": "https://access.redhat.com/errata/RHSA-2022:1679"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-9362 vom 2022-05-09",
        "url": "https://linux.oracle.com/errata/ELSA-2022-9362.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202208-02 vom 2022-08-09",
        "url": "https://security.gentoo.org/glsa/202208-02"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-7129 vom 2022-10-26",
        "url": "https://linux.oracle.com/errata/ELSA-2022-7129.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7129 vom 2022-10-25",
        "url": "https://access.redhat.com/errata/RHSA-2022:7129"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7457 vom 2022-11-08",
        "url": "https://access.redhat.com/errata/RHSA-2022:7457"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7954 vom 2022-11-15",
        "url": "https://access.redhat.com/errata/RHSA-2022:7954"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2023-2303 vom 2023-10-20",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2303.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:2944 vom 2024-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2024:2944"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat OpenShift: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-05-21T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:33:04.107+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-0970",
      "initial_release_date": "2022-04-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-04-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-05-10T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-05-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-08-09T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2022-10-25T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2022-11-08T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-11-15T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-19T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-05-21T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Container Platform 4",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4",
                  "product_id": "T022509",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:container_platform_4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Service Mesh \u003c2.1.2",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh \u003c2.1.2",
                  "product_id": "T022580"
                }
              },
              {
                "category": "product_version_range",
                "name": "Service Mesh \u003c2.0.9",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh \u003c2.0.9",
                  "product_id": "T022581"
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-28851",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2020-28851"
    },
    {
      "cve": "CVE-2020-28852",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2020-28852"
    },
    {
      "cve": "CVE-2021-29482",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-29482"
    },
    {
      "cve": "CVE-2021-29923",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-29923"
    },
    {
      "cve": "CVE-2021-3121",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-3121"
    },
    {
      "cve": "CVE-2021-36221",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-36221"
    },
    {
      "cve": "CVE-2021-3749",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-3749"
    },
    {
      "cve": "CVE-2021-43565",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-43565"
    },
    {
      "cve": "CVE-2021-43824",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-43824"
    },
    {
      "cve": "CVE-2021-43825",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-43825"
    },
    {
      "cve": "CVE-2021-43826",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2021-43826"
    },
    {
      "cve": "CVE-2022-21654",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2022-21654"
    },
    {
      "cve": "CVE-2022-21655",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2022-21655"
    },
    {
      "cve": "CVE-2022-23606",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2022-23606"
    },
    {
      "cve": "CVE-2022-23635",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2022-23635"
    },
    {
      "cve": "CVE-2022-24726",
      "notes": [
        {
          "category": "description",
          "text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Die Fehler bestehen in den Komponenten envoy, golang, github.com/gogo/protobuf, Node.js Axios und github.com/ulikunitz/xz. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen und Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "398363",
          "T012167",
          "T004914",
          "T022509"
        ]
      },
      "release_date": "2022-04-07T22:00:00.000+00:00",
      "title": "CVE-2022-24726"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-21654 (GCVE-0-2022-21654)

WID-SEC-W-2022-0970

Tags

Sightings

Nomenclature