Action not permitted
Modal body text goes here.
CVE-2024-1442
Vulnerability from cvelistv5
Published
2024-03-07 17:45
Modified
2024-08-01 18:40
Severity ?
EPSS score ?
Summary
User with permissions to create a data source can CRUD all data sources
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1442", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-26T14:35:40.672183Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-26T14:35:58.049Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:40:21.181Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://grafana.com/security/security-advisories/cve-2024-1442/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [ { "lessThan": "9.5.7", "status": "affected", "version": "8.5.0", "versionType": "semver" }, { "lessThan": "10.0.12", "status": "affected", "version": "10.0.0", "versionType": "semver" }, { "lessThan": "10.1.8", "status": "affected", "version": "10.1.0", "versionType": "semver" }, { "lessThan": "10.2.5", "status": "affected", "version": "10.2.0", "versionType": "semver" }, { "lessThan": "10.3.4", "status": "affected", "version": "10.3.0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\u003cbr\u003eDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\u003cbr\u003e" } ], "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n" } ], "impacts": [ { "capecId": "CAPEC-233", "descriptions": [ { "lang": "en", "value": "CAPEC-233 Privilege Escalation" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-07T17:45:43.993Z", "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA" }, "references": [ { "url": "https://grafana.com/security/security-advisories/cve-2024-1442/" } ], "source": { "discovery": "INTERNAL" }, "title": "User with permissions to create a data source can CRUD all data sources", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "assignerShortName": "GRAFANA", "cveId": "CVE-2024-1442", "datePublished": "2024-03-07T17:45:43.993Z", "dateReserved": "2024-02-12T12:21:26.806Z", "dateUpdated": "2024-08-01T18:40:21.181Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-1442\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2024-03-07T18:15:46.590\",\"lastModified\":\"2024-03-08T14:02:57.420\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\" A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\\n\"},{\"lang\":\"es\",\"value\":\"Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgar\u00e1 al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2024-1442/\",\"source\":\"security@grafana.com\"}]}}" } }
rhsa-2024_2633
Vulnerability from csaf_redhat
Published
2024-05-01 01:17
Modified
2024-11-07 01:57
Summary
Red Hat Security Advisory: updated rhceph-6.1 container image
Notes
Topic
Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.
Details
Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/
release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.", "title": "Topic" }, { "category": "general", "text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/\nrelease_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:2633", "url": "https://access.redhat.com/errata/RHSA-2024:2633" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "category": "external", "summary": "2268486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268486" }, { "category": "external", "summary": "2272988", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272988" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2633.json" } ], "title": "Red Hat Security Advisory: updated rhceph-6.1 container image", "tracking": { "current_release_date": "2024-11-07T01:57:19+00:00", "generator": { "date": "2024-11-07T01:57:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2024:2633", "initial_release_date": "2024-05-01T01:17:27+00:00", "revision_history": [ { "date": "2024-05-01T01:17:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-05-01T01:17:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-07T01:57:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Ceph Storage 6.1 Tools", "product": { "name": "Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools", "product_identification_helper": { "cpe": "cpe:/a:redhat:ceph_storage:6.1::el9" } } } ], "category": "product_family", "name": "Red Hat Ceph Storage" }, { "branches": [ { "category": "product_version", "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "product": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-90" } } }, { "category": "product_version", "name": "rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "product": { "name": "rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "product_id": "rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "product_identification_helper": { "purl": "pkg:oci/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-11" } } }, { "category": "product_version", "name": "rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "product": { "name": "rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "product_id": "rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "product_identification_helper": { "purl": "pkg:oci/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-19" } } }, { "category": "product_version", "name": "rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "product": { "name": "rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "product_id": "rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-311" } } }, { "category": "product_version", "name": "rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "product": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "product_id": "rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "product_identification_helper": { "purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-12" } } }, { "category": "product_version", "name": "rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "product": { "name": "rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "product_id": "rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "product_identification_helper": { "purl": "pkg:oci/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-57" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "product": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-90" } } }, { "category": "product_version", "name": "rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "product": { "name": "rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "product_id": "rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "product_identification_helper": { "purl": "pkg:oci/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-11" } } }, { "category": "product_version", "name": "rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "product": { "name": "rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "product_id": "rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "product_identification_helper": { "purl": "pkg:oci/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-19" } } }, { "category": "product_version", "name": "rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "product": { "name": "rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "product_id": "rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-311" } } }, { "category": "product_version", "name": "rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "product": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "product_id": "rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "product_identification_helper": { "purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-12" } } }, { "category": "product_version", "name": "rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "product": { "name": "rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "product_id": "rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "product_identification_helper": { "purl": "pkg:oci/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-57" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "product": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-90" } } }, { "category": "product_version", "name": "rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "product": { "name": "rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "product_id": "rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "product_identification_helper": { "purl": "pkg:oci/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-11" } } }, { "category": "product_version", "name": "rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "product": { "name": "rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "product_id": "rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "product_identification_helper": { "purl": "pkg:oci/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-19" } } }, { "category": "product_version", "name": "rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "product": { "name": "rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "product_id": "rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "product_identification_helper": { "purl": "pkg:oci/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-311" } } }, { "category": "product_version", "name": "rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "product": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "product_id": "rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "product_identification_helper": { "purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-12" } } }, { "category": "product_version", "name": "rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64", "product": { "name": "rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64", "product_id": "rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64", "product_identification_helper": { "purl": "pkg:oci/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-57" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64" }, "product_reference": "rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le" }, "product_reference": "rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x" }, "product_reference": "rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le" }, "product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x" }, "product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64" }, "product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64" }, "product_reference": "rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le" }, "product_reference": "rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x" }, "product_reference": "rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64" }, "product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x" }, "product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le" }, "product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64" }, "product_reference": "rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le" }, "product_reference": "rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x" }, "product_reference": "rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x" }, "product_reference": "rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le" }, "product_reference": "rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" }, { "category": "default_component_of", "full_product_name": { "name": "rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64 as a component of Red Hat Ceph Storage 6.1 Tools", "product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" }, "product_reference": "rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64", "relates_to_product_reference": "9Base-RHCEPH-6.1-Tools" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-44487", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242803" } ], "notes": [ { "category": "description", "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", "title": "Vulnerability summary" }, { "category": "other", "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-44487" }, { "category": "external", "summary": "RHBZ#2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "category": "external", "summary": "RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487", "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" }, { "category": "external", "summary": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2102", "url": "https://pkg.go.dev/vuln/GO-2023-2102" }, { "category": "external", "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "category": "external", "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-05-01T01:17:27+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nand\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:2633" }, { "category": "workaround", "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-10-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Important" } ], "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)" }, { "cve": "CVE-2023-49569", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2024-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2258143" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was discovered in the go library go-git. This issue may allow an attacker to create and amend files across the filesystem when applications are using the default ChrootOS, potentially allowing remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients", "title": "Vulnerability summary" }, { "category": "other", "text": "This problem only affects the go implementation and not the original git cli code. Applications using BoundOS or in-memory filesystems are not affected by this issue. Clients should be limited to connect to only trusted git servers to reduce the risk of compromise.\n\nIn OpenShift Container Platform (OCP) the vulnerable github.com/go-git/go-git/v5 Go package is used as a dependency in many components where the vulnerable function is not used, hence the impact by this vulnerability is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-49569" }, { "category": "external", "summary": "RHBZ#2258143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258143" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-49569", "url": "https://www.cve.org/CVERecord?id=CVE-2023-49569" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-49569", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49569" }, { "category": "external", "summary": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", "url": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88" } ], "release_date": "2024-01-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-05-01T01:17:27+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nand\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:2633" }, { "category": "workaround", "details": "In cases where a bump to the latest version of go-git is not possible, a recommendation to reduce the exposure of this threat is limiting its use to only trust-worthy Git servers.", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients" }, { "cve": "CVE-2024-1442", "cwe": { "id": "CWE-269", "name": "Improper Privilege Management" }, "discovery_date": "2024-03-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2268486" } ], "notes": [ { "category": "description", "text": "A flaw was found in Grafana, where setting the Grafana API Data Source UID to \u0027*\u0027 Grants Unrestricted Access, grants a user the ability to set the UID to \u0027*\u0027 via the Grafana API poses a severe security risk. This issue enables unauthorized access to read, query, edit, and delete all data sources within the organization. Such unrestricted access can lead to data breaches, manipulation, privacy violations, and compliance issues, emphasizing the critical importance of implementing stringent access controls and monitoring API usage.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: Improper priviledge managent for users with data source permissions", "title": "Vulnerability summary" }, { "category": "other", "text": "The issue of allowing users to set the UID to \u0027*\u0027 via the Grafana API presents a moderate severity concern due to its potential impact on data integrity and security within the organization\u0027s Grafana instance. While the risk of unauthorized access and data manipulation is significant, its severity is tempered by the prerequisite of having permission to create a data source in the first place. However, once exploited, this vulnerability enables an attacker to bypass access controls and gain unfettered access to all data sources, allowing them to read, query, edit, and delete sensitive information.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64" ], "known_not_affected": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-1442" }, { "category": "external", "summary": "RHBZ#2268486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268486" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-1442", "url": "https://www.cve.org/CVERecord?id=CVE-2024-1442" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1442", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1442" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-5mxf-42f5-j782", "url": "https://github.com/advisories/GHSA-5mxf-42f5-j782" } ], "release_date": "2024-03-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-05-01T01:17:27+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nand\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:2633" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:2468c33f5af3403df5801d95667767dada47d2a4bfeb8aeda4e920a8e6142fb4_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:ecdabdca39cb872d0cef52b0e5c41b370eb04bd982fdb1b711de9003418a30f2_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:f6fc1dd62eaa7a09e878d2fde3f39f6c32db399d14554412ec09c2eb09a65c7b_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0e8fcaf340946dd2881027da80d977066726f5f2bdd454c2b61bcb8ce5aba58b_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:402140159dc4c78dca690a44491a10c51a33fed587d1855b8a781a5e8cf99dfc_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:fba5014ee58c3a8f39bb7967c4a6793e96382f946aff07a0d73038c36db8c1c6_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f8c1edbe9702894290cd87044c1a2965d5b70bd534b19dcae6ade98c5c2b0fd_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:7a5642eb5fe90cf6a1b73bedce8afc61f9d7c1d3a45e82ccc56c8ca79a455c45_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:b497b8004a2057c813d95cb35ba30980ef8b40f94d31b9307aa1fc4bbbe35542_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:2cfe8ff27053b918fb4d7bd9d0e393eaed4df688206559dd98ffa604a28bf15c_amd64", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:4f37df3ad28df39a044c0e4575299acaed7301c4bdccd6f608b8775a4a0ad513_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d1b5e1feef37c5212c73fb3ffb4ed51ccafcb1bd9fa99cefc65f937f998852fb_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:414bfdfdd4af59dd1388a407e40e4b523180bac9266088650a63b96a4b70b391_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:9a84f9e7a9999fadd11fd4091f0e29c99742177a71b360cf930b3ff202bfcc2f_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:da2298ff218ec5a827501ef8de531d00e00358c9b1a34a55752fd328fae61b5a_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:077eed7e75034ed98d1d47854031e9f99277d6445165b4256c52ba3116c78a99_ppc64le", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ac73cc9d02509b10de7a49a54762c6ad249aaf079fbd4720e97a2892bb342110_s390x", "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:fe54e5bfb8d49393d1fac21755ad1017c5b7c34c23dec18563170396f81d15a9_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: Improper priviledge managent for users with data source permissions" } ] }
ghsa-5mxf-42f5-j782
Vulnerability from github
Published
2024-03-07 18:30
Modified
2024-07-08 20:32
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
Grafana's users with permissions to create a data source can CRUD all data sources
Details
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "8.5.0" }, { "fixed": "9.5.7" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.12" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.8" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "10.2.0" }, { "fixed": "10.2.5" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "10.3.0" }, { "fixed": "10.3.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-1442" ], "database_specific": { "cwe_ids": [ "CWE-269" ], "github_reviewed": true, "github_reviewed_at": "2024-03-07T19:11:52Z", "nvd_published_at": "2024-03-07T18:15:46Z", "severity": "MODERATE" }, "details": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n", "id": "GHSA-5mxf-42f5-j782", "modified": "2024-07-08T20:32:56Z", "published": "2024-03-07T18:30:28Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1442" }, { "type": "PACKAGE", "url": "https://github.com/grafana/grafana" }, { "type": "WEB", "url": "https://grafana.com/security/security-advisories/cve-2024-1442" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Grafana\u0027s users with permissions to create a data source can CRUD all data sources" }
wid-sec-w-2024-0585
Vulnerability from csaf_certbund
Published
2024-03-07 23:00
Modified
2024-05-01 22:00
Summary
Grafana: Schwachstelle ermöglicht Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Grafana ausnutzen, um seine Privilegien zu erhöhen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Grafana ausnutzen, um seine Privilegien zu erh\u00f6hen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0585 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0585.json" }, { "category": "self", "summary": "WID-SEC-2024-0585 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0585" }, { "category": "external", "summary": "Grafana Security Release vom 2024-03-07", "url": "https://grafana.com/blog/2024/03/07/grafana-security-release-medium-severity-security-fix-for-cve-2024-1442/" }, { "category": "external", "summary": "RedHat Bugzilla vom 2024-03-07", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268486" }, { "category": "external", "summary": "GitHub Advisory Database vom 2024-03-07", "url": "https://github.com/advisories/GHSA-5mxf-42f5-j782" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:2633 vom 2024-05-01", "url": "https://access.redhat.com/errata/RHSA-2024:2633" } ], "source_lang": "en-US", "title": "Grafana: Schwachstelle erm\u00f6glicht Privilegieneskalation", "tracking": { "current_release_date": "2024-05-01T22:00:00.000+00:00", "generator": { "date": "2024-05-02T08:38:45.966+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0585", "initial_release_date": "2024-03-07T23:00:00.000+00:00", "revision_history": [ { "date": "2024-03-07T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-05-01T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c9.5.17", "product": { "name": "Open Source Grafana \u003c9.5.17", "product_id": "T033309", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:9.5.17" } } }, { "category": "product_version_range", "name": "\u003c10.0.12", "product": { "name": "Open Source Grafana \u003c10.0.12", "product_id": "T033310", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:10.0.12" } } }, { "category": "product_version_range", "name": "\u003c10.1.8", "product": { "name": "Open Source Grafana \u003c10.1.8", "product_id": "T033311", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:10.1.8" } } }, { "category": "product_version_range", "name": "\u003c10.2.5", "product": { "name": "Open Source Grafana \u003c10.2.5", "product_id": "T033312", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:10.2.5" } } }, { "category": "product_version_range", "name": "\u003c10.3.4", "product": { "name": "Open Source Grafana \u003c10.3.4", "product_id": "T033313", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:10.3.4" } } }, { "category": "product_version_range", "name": "\u003c10.4.0", "product": { "name": "Open Source Grafana \u003c10.4.0", "product_id": "T033314", "product_identification_helper": { "cpe": "cpe:/a:grafana:grafana:10.4.0" } } } ], "category": "product_name", "name": "Grafana" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-1442", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Grafana. Dieser Fehler besteht in der API aufgrund einer fehlenden UID-Validierung und einer unsachgem\u00e4\u00dfen Privilegienverwaltung. Diese erm\u00f6glicht es, eine Datenquelle innerhalb einer Organisation zu erstellen, um Zugriff auf die Abfrage, Bearbeitung, Freigabe und L\u00f6schung einer beliebigen bestehenden Datenquelle zu erhalten. Ein entfernter, privilegierter Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "67646" ] }, "release_date": "2024-03-07T23:00:00Z", "title": "CVE-2024-1442" } ] }
gsd-2024-1442
Vulnerability from gsd
Modified
2024-02-13 06:02
Details
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.
Doing this will grant the user access to read, query, edit and delete all data sources within the organization.
Aliases
{ "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2024-1442" ], "details": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n", "id": "GSD-2024-1442", "modified": "2024-02-13T06:02:27.305823Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@grafana.com", "ID": "CVE-2024-1442", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Grafana", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "8.5.0", "version_value": "9.5.7" }, { "version_affected": "\u003c", "version_name": "10.0.0", "version_value": "10.0.12" }, { "version_affected": "\u003c", "version_name": "10.1.0", "version_value": "10.1.8" }, { "version_affected": "\u003c", "version_name": "10.2.0", "version_value": "10.2.5" }, { "version_affected": "\u003c", "version_name": "10.3.0", "version_value": "10.3.4" } ] } } ] }, "vendor_name": "Grafana" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n" } ] }, "generator": { "engine": "Vulnogram 0.1.0-dev" }, "impact": { "cvss": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-269", "lang": "eng", "value": "CWE-269" } ] } ] }, "references": { "reference_data": [ { "name": "https://grafana.com/security/security-advisories/cve-2024-1442/", "refsource": "MISC", "url": "https://grafana.com/security/security-advisories/cve-2024-1442/" } ] }, "source": { "discovery": "INTERNAL" } }, "nvd.nist.gov": { "cve": { "descriptions": [ { "lang": "en", "value": " A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *.\nDoing this will grant the user access to read, query, edit and delete all data sources within the organization.\n" }, { "lang": "es", "value": "Un usuario con permisos para crear una fuente de datos puede usar Grafana API para crear una fuente de datos con UID configurado en *. Hacer esto le otorgar\u00e1 al usuario acceso para leer, consultar, editar y eliminar todas las fuentes de datos dentro de la organizaci\u00f3n." } ], "id": "CVE-2024-1442", "lastModified": "2024-03-08T14:02:57.420", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "security@grafana.com", "type": "Secondary" } ] }, "published": "2024-03-07T18:15:46.590", "references": [ { "source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2024-1442/" } ], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security@grafana.com", "type": "Secondary" } ] } } } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.