Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-41723 (GCVE-0-2022-41723)
Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-05-05 16:12
VLAI
EPSS
Title
Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
Summary
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE 400: Uncontrolled Resource Consumption
- NVD-CWE-Other
Assigner
References
15 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http |
Affected:
0 , < 1.19.6
(semver)
Affected: 1.20.0-0 , < 1.20.1 (semver) |
|
| golang.org/x/net | golang.org/x/net/http2 |
Affected:
0 , < 0.7.0
(semver)
|
|
| golang.org/x/net | golang.org/x/net/http2/hpack |
Affected:
0 , < 0.7.0
(semver)
|
Credits
Philippe Antoine (Catena cyber)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230331-0010/"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/57855"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/468135"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/468295"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.couchbase.com/alerts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-41723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:26:37.352634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NVD-CWE-Other",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:12:28.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http",
"product": "net/http",
"programRoutines": [
{
"name": "Transport.RoundTrip"
},
{
"name": "Server.Serve"
},
{
"name": "Client.Do"
},
{
"name": "Client.Get"
},
{
"name": "Client.Head"
},
{
"name": "Client.Post"
},
{
"name": "Client.PostForm"
},
{
"name": "Get"
},
{
"name": "Head"
},
{
"name": "ListenAndServe"
},
{
"name": "ListenAndServeTLS"
},
{
"name": "Post"
},
{
"name": "PostForm"
},
{
"name": "Serve"
},
{
"name": "ServeTLS"
},
{
"name": "Server.ListenAndServe"
},
{
"name": "Server.ListenAndServeTLS"
},
{
"name": "Server.ServeTLS"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.19.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.20.1",
"status": "affected",
"version": "1.20.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2",
"product": "golang.org/x/net/http2",
"programRoutines": [
{
"name": "Transport.RoundTrip"
},
{
"name": "Server.ServeConn"
},
{
"name": "ClientConn.Close"
},
{
"name": "ClientConn.Ping"
},
{
"name": "ClientConn.RoundTrip"
},
{
"name": "ClientConn.Shutdown"
},
{
"name": "ConfigureServer"
},
{
"name": "ConfigureTransport"
},
{
"name": "ConfigureTransports"
},
{
"name": "ConnectionError.Error"
},
{
"name": "ErrCode.String"
},
{
"name": "FrameHeader.String"
},
{
"name": "FrameType.String"
},
{
"name": "FrameWriteRequest.String"
},
{
"name": "Framer.ReadFrame"
},
{
"name": "Framer.WriteContinuation"
},
{
"name": "Framer.WriteData"
},
{
"name": "Framer.WriteDataPadded"
},
{
"name": "Framer.WriteGoAway"
},
{
"name": "Framer.WriteHeaders"
},
{
"name": "Framer.WritePing"
},
{
"name": "Framer.WritePriority"
},
{
"name": "Framer.WritePushPromise"
},
{
"name": "Framer.WriteRSTStream"
},
{
"name": "Framer.WriteRawFrame"
},
{
"name": "Framer.WriteSettings"
},
{
"name": "Framer.WriteSettingsAck"
},
{
"name": "Framer.WriteWindowUpdate"
},
{
"name": "GoAwayError.Error"
},
{
"name": "ReadFrameHeader"
},
{
"name": "Setting.String"
},
{
"name": "SettingID.String"
},
{
"name": "SettingsFrame.ForeachSetting"
},
{
"name": "StreamError.Error"
},
{
"name": "Transport.CloseIdleConnections"
},
{
"name": "Transport.NewClientConn"
},
{
"name": "Transport.RoundTripOpt"
},
{
"name": "bufferedWriter.Flush"
},
{
"name": "bufferedWriter.Write"
},
{
"name": "chunkWriter.Write"
},
{
"name": "clientConnPool.GetClientConn"
},
{
"name": "connError.Error"
},
{
"name": "dataBuffer.Read"
},
{
"name": "duplicatePseudoHeaderError.Error"
},
{
"name": "gzipReader.Close"
},
{
"name": "gzipReader.Read"
},
{
"name": "headerFieldNameError.Error"
},
{
"name": "headerFieldValueError.Error"
},
{
"name": "noDialClientConnPool.GetClientConn"
},
{
"name": "noDialH2RoundTripper.RoundTrip"
},
{
"name": "pipe.Read"
},
{
"name": "priorityWriteScheduler.CloseStream"
},
{
"name": "priorityWriteScheduler.OpenStream"
},
{
"name": "pseudoHeaderError.Error"
},
{
"name": "requestBody.Close"
},
{
"name": "requestBody.Read"
},
{
"name": "responseWriter.Flush"
},
{
"name": "responseWriter.FlushError"
},
{
"name": "responseWriter.Push"
},
{
"name": "responseWriter.SetReadDeadline"
},
{
"name": "responseWriter.SetWriteDeadline"
},
{
"name": "responseWriter.Write"
},
{
"name": "responseWriter.WriteHeader"
},
{
"name": "responseWriter.WriteString"
},
{
"name": "serverConn.CloseConn"
},
{
"name": "serverConn.Flush"
},
{
"name": "stickyErrWriter.Write"
},
{
"name": "transportResponseBody.Close"
},
{
"name": "transportResponseBody.Read"
},
{
"name": "writeData.String"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/net/http2/hpack",
"product": "golang.org/x/net/http2/hpack",
"programRoutines": [
{
"name": "Decoder.parseFieldLiteral"
},
{
"name": "Decoder.readString"
},
{
"name": "Decoder.DecodeFull"
},
{
"name": "Decoder.Write"
}
],
"vendor": "golang.org/x/net",
"versions": [
{
"lessThan": "0.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:48.448Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/57855"
},
{
"url": "https://go.dev/cl/468135"
},
{
"url": "https://go.dev/cl/468295"
},
{
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
},
{
"url": "https://www.couchbase.com/alerts/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-41723",
"datePublished": "2023-02-28T17:19:45.801Z",
"dateReserved": "2022-09-28T17:00:06.610Z",
"dateUpdated": "2025-05-05T16:12:28.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-41723",
"date": "2026-06-10",
"epss": "0.00264",
"percentile": "0.50033"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.19.6\", \"matchCriteriaId\": \"2219CF76-6D17-487E-9B67-BC49E4743528\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"B78574DF-045C-4A26-B0F5-8C082B24D9FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:*\", \"versionEndExcluding\": \"0.7.0\", \"matchCriteriaId\": \"CA68ED61-191E-4903-B65D-CBA7A0370B8E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*\", \"versionEndExcluding\": \"0.7.0\", \"matchCriteriaId\": \"3EBDC12D-E7B0-4138-B6B1-709E61703629\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\"}]",
"id": "CVE-2022-41723",
"lastModified": "2024-11-21T07:23:44.433",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-02-28T18:15:09.980",
"references": "[{\"url\": \"https://go.dev/cl/468135\", \"source\": \"security@golang.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/cl/468295\", \"source\": \"security@golang.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/issue/57855\", \"source\": \"security@golang.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\", \"source\": \"security@golang.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\", \"source\": \"security@golang.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\", \"source\": \"security@golang.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\", \"source\": \"security@golang.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\", \"source\": \"security@golang.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\", \"source\": \"security@golang.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\", \"source\": \"security@golang.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\", \"source\": \"security@golang.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\", \"source\": \"security@golang.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\", \"source\": \"security@golang.org\"}, {\"url\": \"https://www.couchbase.com/alerts/\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/cl/468135\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/cl/468295\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://go.dev/issue/57855\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230331-0010/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.couchbase.com/alerts/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-41723\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2023-02-28T18:15:09.980\",\"lastModified\":\"2025-05-05T16:15:20.433\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.19.6\",\"matchCriteriaId\":\"2219CF76-6D17-487E-9B67-BC49E4743528\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B78574DF-045C-4A26-B0F5-8C082B24D9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.7.0\",\"matchCriteriaId\":\"CA68ED61-191E-4903-B65D-CBA7A0370B8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"0.7.0\",\"matchCriteriaId\":\"3EBDC12D-E7B0-4138-B6B1-709E61703629\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/468135\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/cl/468295\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/57855\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\",\"source\":\"security@golang.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\",\"source\":\"security@golang.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\",\"source\":\"security@golang.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\",\"source\":\"security@golang.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\",\"source\":\"security@golang.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\",\"source\":\"security@golang.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\",\"source\":\"security@golang.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2023-1571\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"security@golang.org\"},{\"url\":\"https://www.couchbase.com/alerts/\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/cl/468135\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/cl/468295\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/57855\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2023-1571\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202311-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20230331-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.couchbase.com/alerts/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20230331-0010/\"}, {\"url\": \"https://go.dev/issue/57855\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go.dev/cl/468135\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go.dev/cl/468295\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.couchbase.com/alerts/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:49:43.617Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41723\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:26:37.352634Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"NVD-CWE-Other\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T13:06:39.980Z\"}}], \"cna\": {\"title\": \"Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net\", \"credits\": [{\"lang\": \"en\", \"value\": \"Philippe Antoine (Catena cyber)\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"net/http\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.19.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.20.0-0\", \"lessThan\": \"1.20.1\", \"versionType\": \"semver\"}], \"packageName\": \"net/http\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Transport.RoundTrip\"}, {\"name\": \"Server.Serve\"}, {\"name\": \"Client.Do\"}, {\"name\": \"Client.Get\"}, {\"name\": \"Client.Head\"}, {\"name\": \"Client.Post\"}, {\"name\": \"Client.PostForm\"}, {\"name\": \"Get\"}, {\"name\": \"Head\"}, {\"name\": \"ListenAndServe\"}, {\"name\": \"ListenAndServeTLS\"}, {\"name\": \"Post\"}, {\"name\": \"PostForm\"}, {\"name\": \"Serve\"}, {\"name\": \"ServeTLS\"}, {\"name\": \"Server.ListenAndServe\"}, {\"name\": \"Server.ListenAndServeTLS\"}, {\"name\": \"Server.ServeTLS\"}]}, {\"vendor\": \"golang.org/x/net\", \"product\": \"golang.org/x/net/http2\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.7.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/net/http2\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Transport.RoundTrip\"}, {\"name\": \"Server.ServeConn\"}, {\"name\": \"ClientConn.Close\"}, {\"name\": \"ClientConn.Ping\"}, {\"name\": \"ClientConn.RoundTrip\"}, {\"name\": \"ClientConn.Shutdown\"}, {\"name\": \"ConfigureServer\"}, {\"name\": \"ConfigureTransport\"}, {\"name\": \"ConfigureTransports\"}, {\"name\": \"ConnectionError.Error\"}, {\"name\": \"ErrCode.String\"}, {\"name\": \"FrameHeader.String\"}, {\"name\": \"FrameType.String\"}, {\"name\": \"FrameWriteRequest.String\"}, {\"name\": \"Framer.ReadFrame\"}, {\"name\": \"Framer.WriteContinuation\"}, {\"name\": \"Framer.WriteData\"}, {\"name\": \"Framer.WriteDataPadded\"}, {\"name\": \"Framer.WriteGoAway\"}, {\"name\": \"Framer.WriteHeaders\"}, {\"name\": \"Framer.WritePing\"}, {\"name\": \"Framer.WritePriority\"}, {\"name\": \"Framer.WritePushPromise\"}, {\"name\": \"Framer.WriteRSTStream\"}, {\"name\": \"Framer.WriteRawFrame\"}, {\"name\": \"Framer.WriteSettings\"}, {\"name\": \"Framer.WriteSettingsAck\"}, {\"name\": \"Framer.WriteWindowUpdate\"}, {\"name\": \"GoAwayError.Error\"}, {\"name\": \"ReadFrameHeader\"}, {\"name\": \"Setting.String\"}, {\"name\": \"SettingID.String\"}, {\"name\": \"SettingsFrame.ForeachSetting\"}, {\"name\": \"StreamError.Error\"}, {\"name\": \"Transport.CloseIdleConnections\"}, {\"name\": \"Transport.NewClientConn\"}, {\"name\": \"Transport.RoundTripOpt\"}, {\"name\": \"bufferedWriter.Flush\"}, {\"name\": \"bufferedWriter.Write\"}, {\"name\": \"chunkWriter.Write\"}, {\"name\": \"clientConnPool.GetClientConn\"}, {\"name\": \"connError.Error\"}, {\"name\": \"dataBuffer.Read\"}, {\"name\": \"duplicatePseudoHeaderError.Error\"}, {\"name\": \"gzipReader.Close\"}, {\"name\": \"gzipReader.Read\"}, {\"name\": \"headerFieldNameError.Error\"}, {\"name\": \"headerFieldValueError.Error\"}, {\"name\": \"noDialClientConnPool.GetClientConn\"}, {\"name\": \"noDialH2RoundTripper.RoundTrip\"}, {\"name\": \"pipe.Read\"}, {\"name\": \"priorityWriteScheduler.CloseStream\"}, {\"name\": \"priorityWriteScheduler.OpenStream\"}, {\"name\": \"pseudoHeaderError.Error\"}, {\"name\": \"requestBody.Close\"}, {\"name\": \"requestBody.Read\"}, {\"name\": \"responseWriter.Flush\"}, {\"name\": \"responseWriter.FlushError\"}, {\"name\": \"responseWriter.Push\"}, {\"name\": \"responseWriter.SetReadDeadline\"}, {\"name\": \"responseWriter.SetWriteDeadline\"}, {\"name\": \"responseWriter.Write\"}, {\"name\": \"responseWriter.WriteHeader\"}, {\"name\": \"responseWriter.WriteString\"}, {\"name\": \"serverConn.CloseConn\"}, {\"name\": \"serverConn.Flush\"}, {\"name\": \"stickyErrWriter.Write\"}, {\"name\": \"transportResponseBody.Close\"}, {\"name\": \"transportResponseBody.Read\"}, {\"name\": \"writeData.String\"}]}, {\"vendor\": \"golang.org/x/net\", \"product\": \"golang.org/x/net/http2/hpack\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.7.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/net/http2/hpack\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Decoder.parseFieldLiteral\"}, {\"name\": \"Decoder.readString\"}, {\"name\": \"Decoder.DecodeFull\"}, {\"name\": \"Decoder.Write\"}]}], \"references\": [{\"url\": \"https://go.dev/issue/57855\"}, {\"url\": \"https://go.dev/cl/468135\"}, {\"url\": \"https://go.dev/cl/468295\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/\"}, {\"url\": \"https://www.couchbase.com/alerts/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/\"}, {\"url\": \"https://security.gentoo.org/glsa/202311-09\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE 400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2023-11-25T11:09:48.448Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-41723\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-05T16:12:28.159Z\", \"dateReserved\": \"2022-09-28T17:00:06.610Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2023-02-28T17:19:45.801Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2024:12708-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
go1.20-1.20.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: go1.20-1.20.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the go1.20-1.20.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12708
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "go1.20-1.20.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the go1.20-1.20.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12708",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12708-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41722 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41722/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41724 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41725 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41725/"
}
],
"title": "go1.20-1.20.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12708-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "go1.20-1.20.1-1.1.aarch64",
"product": {
"name": "go1.20-1.20.1-1.1.aarch64",
"product_id": "go1.20-1.20.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.20-doc-1.20.1-1.1.aarch64",
"product": {
"name": "go1.20-doc-1.20.1-1.1.aarch64",
"product_id": "go1.20-doc-1.20.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.20-race-1.20.1-1.1.aarch64",
"product": {
"name": "go1.20-race-1.20.1-1.1.aarch64",
"product_id": "go1.20-race-1.20.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.20-1.20.1-1.1.ppc64le",
"product": {
"name": "go1.20-1.20.1-1.1.ppc64le",
"product_id": "go1.20-1.20.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "go1.20-doc-1.20.1-1.1.ppc64le",
"product": {
"name": "go1.20-doc-1.20.1-1.1.ppc64le",
"product_id": "go1.20-doc-1.20.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "go1.20-race-1.20.1-1.1.ppc64le",
"product": {
"name": "go1.20-race-1.20.1-1.1.ppc64le",
"product_id": "go1.20-race-1.20.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.20-1.20.1-1.1.s390x",
"product": {
"name": "go1.20-1.20.1-1.1.s390x",
"product_id": "go1.20-1.20.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "go1.20-doc-1.20.1-1.1.s390x",
"product": {
"name": "go1.20-doc-1.20.1-1.1.s390x",
"product_id": "go1.20-doc-1.20.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "go1.20-race-1.20.1-1.1.s390x",
"product": {
"name": "go1.20-race-1.20.1-1.1.s390x",
"product_id": "go1.20-race-1.20.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.20-1.20.1-1.1.x86_64",
"product": {
"name": "go1.20-1.20.1-1.1.x86_64",
"product_id": "go1.20-1.20.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.20-doc-1.20.1-1.1.x86_64",
"product": {
"name": "go1.20-doc-1.20.1-1.1.x86_64",
"product_id": "go1.20-doc-1.20.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.20-race-1.20.1-1.1.x86_64",
"product": {
"name": "go1.20-race-1.20.1-1.1.x86_64",
"product_id": "go1.20-race-1.20.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-1.20.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64"
},
"product_reference": "go1.20-1.20.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-1.20.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le"
},
"product_reference": "go1.20-1.20.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-1.20.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x"
},
"product_reference": "go1.20-1.20.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-1.20.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64"
},
"product_reference": "go1.20-1.20.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-doc-1.20.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64"
},
"product_reference": "go1.20-doc-1.20.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-doc-1.20.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le"
},
"product_reference": "go1.20-doc-1.20.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-doc-1.20.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x"
},
"product_reference": "go1.20-doc-1.20.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-doc-1.20.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64"
},
"product_reference": "go1.20-doc-1.20.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-race-1.20.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64"
},
"product_reference": "go1.20-race-1.20.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-race-1.20.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le"
},
"product_reference": "go1.20-race-1.20.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-race-1.20.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x"
},
"product_reference": "go1.20-race-1.20.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.20-race-1.20.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
},
"product_reference": "go1.20-race-1.20.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41722",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41722"
}
],
"notes": [
{
"category": "general",
"text": "A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as \"a/../c:/b\" into the valid path \"c:\\b\". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path \".\\c:\\b\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41722",
"url": "https://www.suse.com/security/cve/CVE-2022-41722"
},
{
"category": "external",
"summary": "SUSE Bug 1208269 for CVE-2022-41722",
"url": "https://bugzilla.suse.com/1208269"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41722"
},
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2022-41724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41724"
}
],
"notes": [
{
"category": "general",
"text": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth \u003e= RequestClientCert).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41724",
"url": "https://www.suse.com/security/cve/CVE-2022-41724"
},
{
"category": "external",
"summary": "SUSE Bug 1208271 for CVE-2022-41724",
"url": "https://bugzilla.suse.com/1208271"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41724"
},
{
"cve": "CVE-2022-41725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41725"
}
],
"notes": [
{
"category": "general",
"text": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type\u0027s documentation states, \"If stored on disk, the File\u0027s underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41725",
"url": "https://www.suse.com/security/cve/CVE-2022-41725"
},
{
"category": "external",
"summary": "SUSE Bug 1208272 for CVE-2022-41725",
"url": "https://bugzilla.suse.com/1208272"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-doc-1.20.1-1.1.x86_64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.aarch64",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.ppc64le",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.s390x",
"openSUSE Tumbleweed:go1.20-race-1.20.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-41725"
}
]
}
OPENSUSE-SU-2024:12732-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-9.3.6-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-9.3.6-2.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-9.3.6-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12732
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.3.6-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-9.3.6-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-9.3.6-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12732",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12732-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
}
],
"title": "grafana-9.3.6-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12732-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-2.1.aarch64",
"product": {
"name": "grafana-9.3.6-2.1.aarch64",
"product_id": "grafana-9.3.6-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-2.1.ppc64le",
"product": {
"name": "grafana-9.3.6-2.1.ppc64le",
"product_id": "grafana-9.3.6-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-2.1.s390x",
"product": {
"name": "grafana-9.3.6-2.1.s390x",
"product_id": "grafana-9.3.6-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.3.6-2.1.x86_64",
"product": {
"name": "grafana-9.3.6-2.1.x86_64",
"product_id": "grafana-9.3.6-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-2.1.aarch64"
},
"product_reference": "grafana-9.3.6-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-2.1.ppc64le"
},
"product_reference": "grafana-9.3.6-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-2.1.s390x"
},
"product_reference": "grafana-9.3.6-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.3.6-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.3.6-2.1.x86_64"
},
"product_reference": "grafana-9.3.6-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.3.6-2.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.3.6-2.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.3.6-2.1.aarch64",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.s390x",
"openSUSE Tumbleweed:grafana-9.3.6-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
}
]
}
OPENSUSE-SU-2024:12798-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
go1.18-1.18.10-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: go1.18-1.18.10-1.1 on GA media
Description of the patch: These are all security issues fixed in the go1.18-1.18.10-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12798
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "go1.18-1.18.10-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the go1.18-1.18.10-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12798",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12798-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41724 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41725 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41725/"
}
],
"title": "go1.18-1.18.10-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12798-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "go1.18-1.18.10-1.1.aarch64",
"product": {
"name": "go1.18-1.18.10-1.1.aarch64",
"product_id": "go1.18-1.18.10-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.18-doc-1.18.10-1.1.aarch64",
"product": {
"name": "go1.18-doc-1.18.10-1.1.aarch64",
"product_id": "go1.18-doc-1.18.10-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.18-race-1.18.10-1.1.aarch64",
"product": {
"name": "go1.18-race-1.18.10-1.1.aarch64",
"product_id": "go1.18-race-1.18.10-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.18-1.18.10-1.1.ppc64le",
"product": {
"name": "go1.18-1.18.10-1.1.ppc64le",
"product_id": "go1.18-1.18.10-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "go1.18-doc-1.18.10-1.1.ppc64le",
"product": {
"name": "go1.18-doc-1.18.10-1.1.ppc64le",
"product_id": "go1.18-doc-1.18.10-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "go1.18-race-1.18.10-1.1.ppc64le",
"product": {
"name": "go1.18-race-1.18.10-1.1.ppc64le",
"product_id": "go1.18-race-1.18.10-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.18-1.18.10-1.1.s390x",
"product": {
"name": "go1.18-1.18.10-1.1.s390x",
"product_id": "go1.18-1.18.10-1.1.s390x"
}
},
{
"category": "product_version",
"name": "go1.18-doc-1.18.10-1.1.s390x",
"product": {
"name": "go1.18-doc-1.18.10-1.1.s390x",
"product_id": "go1.18-doc-1.18.10-1.1.s390x"
}
},
{
"category": "product_version",
"name": "go1.18-race-1.18.10-1.1.s390x",
"product": {
"name": "go1.18-race-1.18.10-1.1.s390x",
"product_id": "go1.18-race-1.18.10-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.18-1.18.10-1.1.x86_64",
"product": {
"name": "go1.18-1.18.10-1.1.x86_64",
"product_id": "go1.18-1.18.10-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.18-doc-1.18.10-1.1.x86_64",
"product": {
"name": "go1.18-doc-1.18.10-1.1.x86_64",
"product_id": "go1.18-doc-1.18.10-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.18-race-1.18.10-1.1.x86_64",
"product": {
"name": "go1.18-race-1.18.10-1.1.x86_64",
"product_id": "go1.18-race-1.18.10-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-1.18.10-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64"
},
"product_reference": "go1.18-1.18.10-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-1.18.10-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le"
},
"product_reference": "go1.18-1.18.10-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-1.18.10-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x"
},
"product_reference": "go1.18-1.18.10-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-1.18.10-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64"
},
"product_reference": "go1.18-1.18.10-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-doc-1.18.10-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64"
},
"product_reference": "go1.18-doc-1.18.10-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-doc-1.18.10-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le"
},
"product_reference": "go1.18-doc-1.18.10-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-doc-1.18.10-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x"
},
"product_reference": "go1.18-doc-1.18.10-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-doc-1.18.10-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64"
},
"product_reference": "go1.18-doc-1.18.10-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-race-1.18.10-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64"
},
"product_reference": "go1.18-race-1.18.10-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-race-1.18.10-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le"
},
"product_reference": "go1.18-race-1.18.10-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-race-1.18.10-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x"
},
"product_reference": "go1.18-race-1.18.10-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.18-race-1.18.10-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
},
"product_reference": "go1.18-race-1.18.10-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2022-41724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41724"
}
],
"notes": [
{
"category": "general",
"text": "Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth \u003e= RequestClientCert).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41724",
"url": "https://www.suse.com/security/cve/CVE-2022-41724"
},
{
"category": "external",
"summary": "SUSE Bug 1208271 for CVE-2022-41724",
"url": "https://bugzilla.suse.com/1208271"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41724"
},
{
"cve": "CVE-2022-41725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41725"
}
],
"notes": [
{
"category": "general",
"text": "A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type\u0027s documentation states, \"If stored on disk, the File\u0027s underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41725",
"url": "https://www.suse.com/security/cve/CVE-2022-41725"
},
{
"category": "external",
"summary": "SUSE Bug 1208272 for CVE-2022-41725",
"url": "https://bugzilla.suse.com/1208272"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-doc-1.18.10-1.1.x86_64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.aarch64",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.ppc64le",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.s390x",
"openSUSE Tumbleweed:go1.18-race-1.18.10-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-41725"
}
]
}
OPENSUSE-SU-2024:12809-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
docker-compose-2.17.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: docker-compose-2.17.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the docker-compose-2.17.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12809
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:docker-compose-2.17.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-compose-2.17.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-compose-2.17.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:docker-compose-2.17.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "docker-compose-2.17.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the docker-compose-2.17.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12809",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12809-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
}
],
"title": "docker-compose-2.17.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12809-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "docker-compose-2.17.0-1.1.aarch64",
"product": {
"name": "docker-compose-2.17.0-1.1.aarch64",
"product_id": "docker-compose-2.17.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-compose-2.17.0-1.1.ppc64le",
"product": {
"name": "docker-compose-2.17.0-1.1.ppc64le",
"product_id": "docker-compose-2.17.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-compose-2.17.0-1.1.s390x",
"product": {
"name": "docker-compose-2.17.0-1.1.s390x",
"product_id": "docker-compose-2.17.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-compose-2.17.0-1.1.x86_64",
"product": {
"name": "docker-compose-2.17.0-1.1.x86_64",
"product_id": "docker-compose-2.17.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-compose-2.17.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-compose-2.17.0-1.1.aarch64"
},
"product_reference": "docker-compose-2.17.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-compose-2.17.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-compose-2.17.0-1.1.ppc64le"
},
"product_reference": "docker-compose-2.17.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-compose-2.17.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-compose-2.17.0-1.1.s390x"
},
"product_reference": "docker-compose-2.17.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-compose-2.17.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:docker-compose-2.17.0-1.1.x86_64"
},
"product_reference": "docker-compose-2.17.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.aarch64",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.s390x",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.aarch64",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.s390x",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.aarch64",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.ppc64le",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.s390x",
"openSUSE Tumbleweed:docker-compose-2.17.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
}
]
}
OPENSUSE-SU-2024:12899-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
restic-0.15.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: restic-0.15.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the restic-0.15.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12899
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:restic-0.15.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-0.15.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-0.15.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-0.15.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "restic-0.15.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the restic-0.15.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12899",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12899-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
}
],
"title": "restic-0.15.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12899-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "restic-0.15.2-1.1.aarch64",
"product": {
"name": "restic-0.15.2-1.1.aarch64",
"product_id": "restic-0.15.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "restic-bash-completion-0.15.2-1.1.aarch64",
"product": {
"name": "restic-bash-completion-0.15.2-1.1.aarch64",
"product_id": "restic-bash-completion-0.15.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "restic-zsh-completion-0.15.2-1.1.aarch64",
"product": {
"name": "restic-zsh-completion-0.15.2-1.1.aarch64",
"product_id": "restic-zsh-completion-0.15.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "restic-0.15.2-1.1.ppc64le",
"product": {
"name": "restic-0.15.2-1.1.ppc64le",
"product_id": "restic-0.15.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "restic-bash-completion-0.15.2-1.1.ppc64le",
"product": {
"name": "restic-bash-completion-0.15.2-1.1.ppc64le",
"product_id": "restic-bash-completion-0.15.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "restic-zsh-completion-0.15.2-1.1.ppc64le",
"product": {
"name": "restic-zsh-completion-0.15.2-1.1.ppc64le",
"product_id": "restic-zsh-completion-0.15.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "restic-0.15.2-1.1.s390x",
"product": {
"name": "restic-0.15.2-1.1.s390x",
"product_id": "restic-0.15.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "restic-bash-completion-0.15.2-1.1.s390x",
"product": {
"name": "restic-bash-completion-0.15.2-1.1.s390x",
"product_id": "restic-bash-completion-0.15.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "restic-zsh-completion-0.15.2-1.1.s390x",
"product": {
"name": "restic-zsh-completion-0.15.2-1.1.s390x",
"product_id": "restic-zsh-completion-0.15.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "restic-0.15.2-1.1.x86_64",
"product": {
"name": "restic-0.15.2-1.1.x86_64",
"product_id": "restic-0.15.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "restic-bash-completion-0.15.2-1.1.x86_64",
"product": {
"name": "restic-bash-completion-0.15.2-1.1.x86_64",
"product_id": "restic-bash-completion-0.15.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "restic-zsh-completion-0.15.2-1.1.x86_64",
"product": {
"name": "restic-zsh-completion-0.15.2-1.1.x86_64",
"product_id": "restic-zsh-completion-0.15.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-0.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-0.15.2-1.1.aarch64"
},
"product_reference": "restic-0.15.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-0.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-0.15.2-1.1.ppc64le"
},
"product_reference": "restic-0.15.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-0.15.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-0.15.2-1.1.s390x"
},
"product_reference": "restic-0.15.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-0.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-0.15.2-1.1.x86_64"
},
"product_reference": "restic-0.15.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-bash-completion-0.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.aarch64"
},
"product_reference": "restic-bash-completion-0.15.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-bash-completion-0.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.ppc64le"
},
"product_reference": "restic-bash-completion-0.15.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-bash-completion-0.15.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.s390x"
},
"product_reference": "restic-bash-completion-0.15.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-bash-completion-0.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.x86_64"
},
"product_reference": "restic-bash-completion-0.15.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-zsh-completion-0.15.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.aarch64"
},
"product_reference": "restic-zsh-completion-0.15.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-zsh-completion-0.15.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.ppc64le"
},
"product_reference": "restic-zsh-completion-0.15.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-zsh-completion-0.15.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.s390x"
},
"product_reference": "restic-zsh-completion-0.15.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "restic-zsh-completion-0.15.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.x86_64"
},
"product_reference": "restic-zsh-completion-0.15.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:restic-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:restic-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:restic-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-bash-completion-0.15.2-1.1.x86_64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.aarch64",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.ppc64le",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.s390x",
"openSUSE Tumbleweed:restic-zsh-completion-0.15.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
}
]
}
OPENSUSE-SU-2024:13005-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
kubescape-2.3.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: kubescape-2.3.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the kubescape-2.3.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13005
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
10 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "kubescape-2.3.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the kubescape-2.3.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13005",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13005-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-28840 page",
"url": "https://www.suse.com/security/cve/CVE-2023-28840/"
}
],
"title": "kubescape-2.3.6-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13005-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubescape-2.3.6-1.1.aarch64",
"product": {
"name": "kubescape-2.3.6-1.1.aarch64",
"product_id": "kubescape-2.3.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubescape-2.3.6-1.1.ppc64le",
"product": {
"name": "kubescape-2.3.6-1.1.ppc64le",
"product_id": "kubescape-2.3.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kubescape-2.3.6-1.1.s390x",
"product": {
"name": "kubescape-2.3.6-1.1.s390x",
"product_id": "kubescape-2.3.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kubescape-2.3.6-1.1.x86_64",
"product": {
"name": "kubescape-2.3.6-1.1.x86_64",
"product_id": "kubescape-2.3.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubescape-2.3.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64"
},
"product_reference": "kubescape-2.3.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubescape-2.3.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le"
},
"product_reference": "kubescape-2.3.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubescape-2.3.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x"
},
"product_reference": "kubescape-2.3.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubescape-2.3.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
},
"product_reference": "kubescape-2.3.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2023-28840",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-28840"
}
],
"notes": [
{
"category": "general",
"text": "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet\u0027s VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nTwo iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.\n\nThe injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container\u0027s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.\n\nPatches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime\u0027s 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-28840",
"url": "https://www.suse.com/security/cve/CVE-2023-28840"
},
{
"category": "external",
"summary": "SUSE Bug 1214107 for CVE-2023-28840",
"url": "https://bugzilla.suse.com/1214107"
},
{
"category": "external",
"summary": "SUSE Bug 1215525 for CVE-2023-28840",
"url": "https://bugzilla.suse.com/1215525"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.aarch64",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.ppc64le",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.s390x",
"openSUSE Tumbleweed:kubescape-2.3.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-28840"
}
]
}
OPENSUSE-SU-2024:13109-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
golang-github-lusitaniae-apache_exporter-1.0.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-lusitaniae-apache_exporter-1.0.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-lusitaniae-apache_exporter-1.0.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13109
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-lusitaniae-apache_exporter-1.0.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13109",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13109-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32149 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32149/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13109-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"product": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"product_id": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"product": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"product_id": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"product": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"product_id": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64",
"product": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64",
"product_id": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64"
},
"product_reference": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le"
},
"product_reference": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x"
},
"product_reference": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
},
"product_reference": "golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-32149",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32149"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32149",
"url": "https://www.suse.com/security/cve/CVE-2022-32149"
},
{
"category": "external",
"summary": "SUSE Bug 1204501 for CVE-2022-32149",
"url": "https://bugzilla.suse.com/1204501"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-32149"
},
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-lusitaniae-apache_exporter-1.0.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
OPENSUSE-SU-2024:13143-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
golang-github-prometheus-prometheus-2.46.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-prometheus-prometheus-2.46.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-prometheus-prometheus-2.46.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13143
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-prometheus-prometheus-2.46.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-prometheus-prometheus-2.46.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13143",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13143-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
}
],
"title": "golang-github-prometheus-prometheus-2.46.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13143-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"product": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"product_id": "golang-github-prometheus-prometheus-2.46.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"product": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"product_id": "golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"product": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"product_id": "golang-github-prometheus-prometheus-2.46.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.x86_64",
"product": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.x86_64",
"product_id": "golang-github-prometheus-prometheus-2.46.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.aarch64"
},
"product_reference": "golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le"
},
"product_reference": "golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.s390x"
},
"product_reference": "golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.46.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.x86_64"
},
"product_reference": "golang-github-prometheus-prometheus-2.46.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.46.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
}
]
}
RHBA-2023:2181
Vulnerability from csaf_redhat - Published: 2023-05-09 09:51 - Updated: 2026-06-09 21:19Summary
Red Hat Bug Fix Advisory: delve, golang, and go-toolset bug fix and enhancement update
Severity
Moderate
Notes
Topic: An update for delve, golang, and go-toolset is now available for Red Hat Enterprise Linux 9.
Details: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64 | — |
Threats
Impact
Moderate
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64 | — |
Threats
Impact
Moderate
A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch | — |
Vendor Fix
fix
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64 | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src | — | ||
| Unresolved product id: AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64 | — |
Threats
Impact
Moderate
References
33 references
Acknowledgments
Catena Cyber
Philippe Antoine
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for delve, golang, and go-toolset is now available for Red Hat Enterprise Linux 9.",
"title": "Topic"
},
{
"category": "general",
"text": "For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2023:2181",
"url": "https://access.redhat.com/errata/RHBA-2023:2181"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "1966992",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966992"
},
{
"category": "external",
"summary": "2133019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2133019"
},
{
"category": "external",
"summary": "2137763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137763"
},
{
"category": "external",
"summary": "2138231",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138231"
},
{
"category": "external",
"summary": "2157587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157587"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_2181.json"
}
],
"title": "Red Hat Bug Fix Advisory: delve, golang, and go-toolset bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-09T21:19:59+00:00",
"generator": {
"date": "2026-06-09T21:19:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHBA-2023:2181",
"initial_release_date": "2023-05-09T09:51:23+00:00",
"revision_history": [
{
"date": "2023-05-09T09:51:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T09:51:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-09T21:19:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.el9.src",
"product": {
"name": "delve-0:1.9.1-1.el9.src",
"product_id": "delve-0:1.9.1-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.6-2.el9_2.src",
"product": {
"name": "golang-0:1.19.6-2.el9_2.src",
"product_id": "golang-0:1.19.6-2.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.6-2.el9_2?arch=src"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.6-2.el9_2.src",
"product": {
"name": "go-toolset-0:1.19.6-2.el9_2.src",
"product_id": "go-toolset-0:1.19.6-2.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.6-2.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.9.1-1.el9.x86_64",
"product": {
"name": "delve-0:1.9.1-1.el9.x86_64",
"product_id": "delve-0:1.9.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.9.1-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.9.1-1.el9.x86_64",
"product": {
"name": "delve-debugsource-0:1.9.1-1.el9.x86_64",
"product_id": "delve-debugsource-0:1.9.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.9.1-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.9.1-1.el9.x86_64",
"product": {
"name": "delve-debuginfo-0:1.9.1-1.el9.x86_64",
"product_id": "delve-debuginfo-0:1.9.1-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.9.1-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.19.6-2.el9_2.x86_64",
"product": {
"name": "golang-0:1.19.6-2.el9_2.x86_64",
"product_id": "golang-0:1.19.6-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.6-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.6-2.el9_2.x86_64",
"product": {
"name": "golang-bin-0:1.19.6-2.el9_2.x86_64",
"product_id": "golang-bin-0:1.19.6-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.6-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.6-2.el9_2.x86_64",
"product": {
"name": "golang-race-0:1.19.6-2.el9_2.x86_64",
"product_id": "golang-race-0:1.19.6-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.6-2.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.6-2.el9_2.x86_64",
"product": {
"name": "go-toolset-0:1.19.6-2.el9_2.x86_64",
"product_id": "go-toolset-0:1.19.6-2.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.6-2.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.6-2.el9_2.aarch64",
"product": {
"name": "golang-0:1.19.6-2.el9_2.aarch64",
"product_id": "golang-0:1.19.6-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.6-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.6-2.el9_2.aarch64",
"product": {
"name": "golang-bin-0:1.19.6-2.el9_2.aarch64",
"product_id": "golang-bin-0:1.19.6-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.6-2.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.6-2.el9_2.aarch64",
"product": {
"name": "go-toolset-0:1.19.6-2.el9_2.aarch64",
"product_id": "go-toolset-0:1.19.6-2.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.6-2.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.6-2.el9_2.ppc64le",
"product": {
"name": "golang-0:1.19.6-2.el9_2.ppc64le",
"product_id": "golang-0:1.19.6-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.6-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.6-2.el9_2.ppc64le",
"product": {
"name": "golang-bin-0:1.19.6-2.el9_2.ppc64le",
"product_id": "golang-bin-0:1.19.6-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.6-2.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.6-2.el9_2.ppc64le",
"product": {
"name": "go-toolset-0:1.19.6-2.el9_2.ppc64le",
"product_id": "go-toolset-0:1.19.6-2.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.6-2.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.6-2.el9_2.s390x",
"product": {
"name": "golang-0:1.19.6-2.el9_2.s390x",
"product_id": "golang-0:1.19.6-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.6-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.6-2.el9_2.s390x",
"product": {
"name": "golang-bin-0:1.19.6-2.el9_2.s390x",
"product_id": "golang-bin-0:1.19.6-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.6-2.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.19.6-2.el9_2.s390x",
"product": {
"name": "go-toolset-0:1.19.6-2.el9_2.s390x",
"product_id": "go-toolset-0:1.19.6-2.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.19.6-2.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.6-2.el9_2.noarch",
"product": {
"name": "golang-docs-0:1.19.6-2.el9_2.noarch",
"product_id": "golang-docs-0:1.19.6-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.6-2.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.6-2.el9_2.noarch",
"product": {
"name": "golang-misc-0:1.19.6-2.el9_2.noarch",
"product_id": "golang-misc-0:1.19.6-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.6-2.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.6-2.el9_2.noarch",
"product": {
"name": "golang-src-0:1.19.6-2.el9_2.noarch",
"product_id": "golang-src-0:1.19.6-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.6-2.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.6-2.el9_2.noarch",
"product": {
"name": "golang-tests-0:1.19.6-2.el9_2.noarch",
"product_id": "golang-tests-0:1.19.6-2.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.6-2.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src"
},
"product_reference": "delve-0:1.9.1-1.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.9.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64"
},
"product_reference": "delve-0:1.9.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.9.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64"
},
"product_reference": "delve-debuginfo-0:1.9.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.9.1-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64"
},
"product_reference": "delve-debugsource-0:1.9.1-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.6-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64"
},
"product_reference": "go-toolset-0:1.19.6-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.6-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le"
},
"product_reference": "go-toolset-0:1.19.6-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.6-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x"
},
"product_reference": "go-toolset-0:1.19.6-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.6-2.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src"
},
"product_reference": "go-toolset-0:1.19.6-2.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.19.6-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
},
"product_reference": "go-toolset-0:1.19.6-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.6-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64"
},
"product_reference": "golang-0:1.19.6-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.6-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le"
},
"product_reference": "golang-0:1.19.6-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.6-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x"
},
"product_reference": "golang-0:1.19.6-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.6-2.el9_2.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src"
},
"product_reference": "golang-0:1.19.6-2.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.6-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64"
},
"product_reference": "golang-0:1.19.6-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.6-2.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64"
},
"product_reference": "golang-bin-0:1.19.6-2.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.6-2.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le"
},
"product_reference": "golang-bin-0:1.19.6-2.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.6-2.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x"
},
"product_reference": "golang-bin-0:1.19.6-2.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.6-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64"
},
"product_reference": "golang-bin-0:1.19.6-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.6-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch"
},
"product_reference": "golang-docs-0:1.19.6-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.6-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch"
},
"product_reference": "golang-misc-0:1.19.6-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.6-2.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64"
},
"product_reference": "golang-race-0:1.19.6-2.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.6-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch"
},
"product_reference": "golang-src-0:1.19.6-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.6-2.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
},
"product_reference": "golang-tests-0:1.19.6-2.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Philippe Antoine"
],
"organization": "Catena Cyber"
}
],
"cve": "CVE-2022-41723",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"known_not_affected": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "RHBZ#2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
"url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
},
{
"category": "external",
"summary": "https://go.dev/cl/468135",
"url": "https://go.dev/cl/468135"
},
{
"category": "external",
"summary": "https://go.dev/cl/468295",
"url": "https://go.dev/cl/468295"
},
{
"category": "external",
"summary": "https://go.dev/issue/57855",
"url": "https://go.dev/issue/57855"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1571",
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
"url": "https://vuln.go.dev/ID/GO-2023-1571.json"
}
],
"release_date": "2023-02-17T14:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:51:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:2181"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
},
{
"cve": "CVE-2022-41724",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: large handshake records may cause panics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a denial of service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"known_not_affected": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41724"
},
{
"category": "external",
"summary": "RHBZ#2178492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724"
},
{
"category": "external",
"summary": "https://go.dev/cl/468125",
"url": "https://go.dev/cl/468125"
},
{
"category": "external",
"summary": "https://go.dev/issue/58001",
"url": "https://go.dev/issue/58001"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1570",
"url": "https://pkg.go.dev/vuln/GO-2023-1570"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:51:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:2181"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: large handshake records may cause panics"
},
{
"cve": "CVE-2022-41725",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178488"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, mime/multipart: denial of service from excessive resource consumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"known_not_affected": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41725"
},
{
"category": "external",
"summary": "RHBZ#2178488",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178488"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725"
},
{
"category": "external",
"summary": "https://go.dev/cl/468124",
"url": "https://go.dev/cl/468124"
},
{
"category": "external",
"summary": "https://go.dev/issue/58006",
"url": "https://go.dev/issue/58006"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1569",
"url": "https://pkg.go.dev/vuln/GO-2023-1569"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:51:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:2181"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.src",
"AppStream-9.2.0.GA:delve-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debuginfo-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:delve-debugsource-0:1.9.1-1.el9.x86_64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:go-toolset-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.src",
"AppStream-9.2.0.GA:golang-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.aarch64",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.ppc64le",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.s390x",
"AppStream-9.2.0.GA:golang-bin-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-docs-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-misc-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-race-0:1.19.6-2.el9_2.x86_64",
"AppStream-9.2.0.GA:golang-src-0:1.19.6-2.el9_2.noarch",
"AppStream-9.2.0.GA:golang-tests-0:1.19.6-2.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, mime/multipart: denial of service from excessive resource consumption"
}
]
}
RHBA-2023:3611
Vulnerability from csaf_redhat - Published: 2023-06-15 00:29 - Updated: 2026-06-09 21:20Summary
Red Hat Bug Fix Advisory: Release of Bug Advisories for the OpenShift Jenkins and Jenkins agent base image
Severity
Moderate
Notes
Topic: Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image
Details: Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64 | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64 | — |
Threats
Impact
Moderate
References
20 references
Acknowledgments
Catena Cyber
Philippe Antoine
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2023:3611",
"url": "https://access.redhat.com/errata/RHBA-2023:3611"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"url": "https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html"
},
{
"category": "external",
"summary": "OCPBUGS-13652",
"url": "https://issues.redhat.com/browse/OCPBUGS-13652"
},
{
"category": "external",
"summary": "OCPBUGS-14393",
"url": "https://issues.redhat.com/browse/OCPBUGS-14393"
},
{
"category": "external",
"summary": "OCPBUGS-14642",
"url": "https://issues.redhat.com/browse/OCPBUGS-14642"
},
{
"category": "external",
"summary": "OCPBUGS-6632",
"url": "https://issues.redhat.com/browse/OCPBUGS-6632"
},
{
"category": "external",
"summary": "OCPBUGS-7016",
"url": "https://issues.redhat.com/browse/OCPBUGS-7016"
},
{
"category": "external",
"summary": "OCPBUGS-7017",
"url": "https://issues.redhat.com/browse/OCPBUGS-7017"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_3611.json"
}
],
"title": "Red Hat Bug Fix Advisory: Release of Bug Advisories for the OpenShift Jenkins and Jenkins agent base image",
"tracking": {
"current_release_date": "2026-06-09T21:20:01+00:00",
"generator": {
"date": "2026-06-09T21:20:01+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHBA-2023:3611",
"initial_release_date": "2023-06-15T00:29:54+00:00",
"revision_history": [
{
"date": "2023-06-15T00:29:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-15T00:29:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-09T21:20:01+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64",
"product": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64",
"product_id": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8\u0026tag=v4.12.0-1686649619"
}
}
},
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"product": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"product_id": "ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-rhel8\u0026tag=v4.12.0-1686650770"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"product": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"product_id": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8\u0026tag=v4.12.0-1686649619"
}
}
},
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64",
"product": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64",
"product_id": "ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-rhel8\u0026tag=v4.12.0-1686650770"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"product": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"product_id": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8\u0026tag=v4.12.0-1686649619"
}
}
},
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"product": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"product_id": "ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-rhel8\u0026tag=v4.12.0-1686650770"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"product": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"product_id": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8\u0026tag=v4.12.0-1686649619"
}
}
},
{
"category": "product_version",
"name": "ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"product": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"product_id": "ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4/jenkins-rhel8\u0026tag=v4.12.0-1686650770"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x"
},
"product_reference": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64 as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64"
},
"product_reference": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le"
},
"product_reference": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64 as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64"
},
"product_reference": "ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le"
},
"product_reference": "ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x"
},
"product_reference": "ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64 as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64"
},
"product_reference": "ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64 as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64"
},
"product_reference": "ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Philippe Antoine"
],
"organization": "Catena Cyber"
}
],
"cve": "CVE-2022-41723",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "RHBZ#2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
"url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
},
{
"category": "external",
"summary": "https://go.dev/cl/468135",
"url": "https://go.dev/cl/468135"
},
{
"category": "external",
"summary": "https://go.dev/cl/468295",
"url": "https://go.dev/cl/468295"
},
{
"category": "external",
"summary": "https://go.dev/issue/57855",
"url": "https://go.dev/issue/57855"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1571",
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
"url": "https://vuln.go.dev/ID/GO-2023-1571.json"
}
],
"release_date": "2023-02-17T14:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T00:29:54+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2023:3611"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:3d008c8fe975ab44031a6a1a524b8501acbc040d283e81982f429f31b7cf46bc_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:85cf90bc3dd633e33cf9d26e99f92859c530d5bcfda1098b75b984a546de71d2_arm64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:8e32ea3e4fd183303f9d39cf2547f094767ea281871779279c11621be8c2dbc8_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-agent-base-rhel8@sha256:d2b1d82bb799a1be9d814c756bcb62d56fcd6e508e931b74cada392a20818af6_amd64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:815b74527294e88078bed7849245cd6af2fde55eff426de76d627cd1bee320fb_ppc64le",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:816601e12a70a9ae1c39f5933c871e4520776ed159fe73c09f46b9dace3ed4a3_s390x",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:96dd08bfa56b6e09e7b65c97eda0a679670f1996c944aadfb2f3131d1e041ebc_amd64",
"8Base-OCP-Tools-4.12:ocp-tools-4/jenkins-rhel8@sha256:aba721a1e9eca5a15a170325844cfaa4f4c70f11621e4c41ec5a5bfc7b46534e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…