Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-6965 (GCVE-0-2025-6965)
Vulnerability from cvelistv5 – Published: 2025-07-15 13:44 – Updated: 2026-04-29 03:55
VLAI
EPSS
Title
Integer Truncation on SQLite
Summary
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-197 - Numeric Truncation Error
Assigner
References
9 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| SQLite | SQLite |
Affected:
0 , < 3.50.2
(semver)
|
|
| Siemens | RUGGEDCOM CROSSBOW Station Access Controller (SAC) |
Affected:
0 , < V5.8
(custom)
|
|
| Siemens | SIDIS Prime |
Affected:
0 , < V4.0.800
(custom)
|
Date Public
2025-06-27 22:00
Credits
Vlad Stolyarov of Google's Threat Analysis Group, with assistance from Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T03:55:46.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:14:51.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/57"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/56"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/58"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/49"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/06/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM CROSSBOW Station Access Controller (SAC)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V5.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIDIS Prime",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0.800",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T08:58:07.313Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-485750.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-225816.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.sqlite.org/src",
"defaultStatus": "unaffected",
"packageName": "expr.c",
"product": "SQLite",
"programFiles": [
"expr.c"
],
"vendor": "SQLite",
"versions": [
{
"lessThan": "3.50.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vlad Stolyarov of Google\u0027s Threat Analysis Group, with assistance from Google Big Sleep"
}
],
"datePublic": "2025-06-27T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above."
}
],
"value": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above."
}
],
"impacts": [
{
"capecId": "CAPEC-679",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-679 Exploitation of Improperly Configured or Implemented Memory Protections"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-197",
"description": "CWE-197: Numeric Truncation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:44:00.784Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer Truncation on SQLite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-6965",
"datePublished": "2025-07-15T13:44:00.784Z",
"dateReserved": "2025-07-01T09:19:04.750Z",
"dateUpdated": "2026-04-29T03:55:46.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-6965",
"date": "2026-06-05",
"epss": "0.01689",
"percentile": "0.82597"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-6965\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2025-07-15T14:15:31.080\",\"lastModified\":\"2026-04-14T10:16:29.853\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad en las versiones de SQLite anteriores a la 3.50.2 donde el n\u00famero de t\u00e9rminos agregados podr\u00eda exceder el n\u00famero de columnas disponibles. Esto podr\u00eda causar un problema de corrupci\u00f3n de memoria. Recomendamos actualizar a la versi\u00f3n 3.50.2 o superior.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"NO\",\"Recovery\":\"USER\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"GREEN\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-197\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.50.2\",\"matchCriteriaId\":\"C1739DFA-8AEF-4CDE-9CB8-A1B601EA6FDB\"}]}]}],\"references\":[{\"url\":\"https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://seclists.org/fulldisclosure/2025/Sep/49\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Sep/53\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Sep/56\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Sep/57\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Sep/58\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/09/06/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-225816.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-485750.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/57\"}, {\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/56\"}, {\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/53\"}, {\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/58\"}, {\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/49\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/09/06/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:14:51.528Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"RUGGEDCOM CROSSBOW Station Access Controller (SAC)\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V5.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"SIDIS Prime\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V4.0.800\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-485750.html\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-225816.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-04-14T08:58:07.313Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6965\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-15T13:55:28.325825Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-15T13:55:30.882Z\"}}], \"cna\": {\"title\": \"Integer Truncation on SQLite\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Vlad Stolyarov of Google\u0027s Threat Analysis Group, with assistance from Google Big Sleep\"}], \"impacts\": [{\"capecId\": \"CAPEC-679\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-679 Exploitation of Improperly Configured or Implemented Memory Protections\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NEGLIGIBLE\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 7.2, \"Automatable\": \"NO\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/AU:N/R:U/V:D/RE:L/U:Green\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SQLite\", \"product\": \"SQLite\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.50.2\", \"versionType\": \"semver\"}], \"packageName\": \"expr.c\", \"programFiles\": [\"expr.c\"], \"collectionURL\": \"https://www.sqlite.org/src\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-06-27T22:00:00.000Z\", \"references\": [{\"url\": \"https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-197\", \"description\": \"CWE-197: Numeric Truncation Error\"}]}], \"providerMetadata\": {\"orgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"shortName\": \"Google\", \"dateUpdated\": \"2025-07-15T13:44:00.784Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-6965\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T03:55:46.708Z\", \"dateReserved\": \"2025-07-01T09:19:04.750Z\", \"assignerOrgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"datePublished\": \"2025-07-15T13:44:00.784Z\", \"assignerShortName\": \"Google\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:18218
Vulnerability from csaf_redhat - Published: 2025-10-22 05:09 - Updated: 2026-06-05 00:27Summary
Red Hat Security Advisory: OpenShift Container Platform 4.17.42 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.17.42 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.17.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.17.42. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/155270
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/
Security Fix(es):
* libarchive: Double free at archive_read_format_rar_seek_data() in
archive_read_support_format_rar.c (CVE-2025-5914)
* unbound: Unbound Cache poisoning (CVE-2025-5994)
* sqlite: Integer Truncation in SQLite (CVE-2025-6965)
* podman: Podman kube play command may overwrite host files (CVE-2025-9566)
* libxml: Heap use after free (UAF) leads to Denial of service (DoS)
(CVE-2025-49794)
* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
All OpenShift Container Platform 4.17 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
8.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
42 references
Acknowledgments
Red Hat
Paul Holzinger
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.17.42 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\n This release includes a security update for Red Hat OpenShift Container\nPlatform 4.17.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.17.42. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/155270\n\nSpace precludes documenting all of the container images in this advisory.\nSee the following Release Notes documentation, which will be updated\nshortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nSecurity Fix(es):\n\n* libarchive: Double free at archive_read_format_rar_seek_data() in\narchive_read_support_format_rar.c (CVE-2025-5914)\n* unbound: Unbound Cache poisoning (CVE-2025-5994)\n* sqlite: Integer Truncation in SQLite (CVE-2025-6965)\n* podman: Podman kube play command may overwrite host files (CVE-2025-9566)\n* libxml: Heap use after free (UAF) leads to Denial of service (DoS)\n(CVE-2025-49794)\n* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:18218",
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_18218.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.17.42 bug fix and security update",
"tracking": {
"current_release_date": "2026-06-05T00:27:23+00:00",
"generator": {
"date": "2026-06-05T00:27:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:18218",
"initial_release_date": "2025-10-22T05:09:35+00:00",
"revision_history": [
{
"date": "2025-10-22T05:09:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-22T05:09:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:27:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.17",
"product": {
"name": "Red Hat OpenShift Container Platform 4.17",
"product_id": "9Base-RHOSE-4.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.17::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-aarch64-417.94.202510112152-0",
"product": {
"name": "rhcos-aarch64-417.94.202510112152-0",
"product_id": "rhcos-aarch64-417.94.202510112152-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@417.94.202510112152?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-ppc64le-417.94.202510112152-0",
"product": {
"name": "rhcos-ppc64le-417.94.202510112152-0",
"product_id": "rhcos-ppc64le-417.94.202510112152-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@417.94.202510112152?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-s390x-417.94.202510112152-0",
"product": {
"name": "rhcos-s390x-417.94.202510112152-0",
"product_id": "rhcos-s390x-417.94.202510112152-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@417.94.202510112152?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-x86_64-417.94.202510112152-0",
"product": {
"name": "rhcos-x86_64-417.94.202510112152-0",
"product_id": "rhcos-x86_64-417.94.202510112152-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@417.94.202510112152?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-aarch64-417.94.202510112152-0 as a component of Red Hat OpenShift Container Platform 4.17",
"product_id": "9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0"
},
"product_reference": "rhcos-aarch64-417.94.202510112152-0",
"relates_to_product_reference": "9Base-RHOSE-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-ppc64le-417.94.202510112152-0 as a component of Red Hat OpenShift Container Platform 4.17",
"product_id": "9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0"
},
"product_reference": "rhcos-ppc64le-417.94.202510112152-0",
"relates_to_product_reference": "9Base-RHOSE-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-s390x-417.94.202510112152-0 as a component of Red Hat OpenShift Container Platform 4.17",
"product_id": "9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0"
},
"product_reference": "rhcos-s390x-417.94.202510112152-0",
"relates_to_product_reference": "9Base-RHOSE-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-x86_64-417.94.202510112152-0 as a component of Red Hat OpenShift Container Platform 4.17",
"product_id": "9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
},
"product_reference": "rhcos-x86_64-417.94.202510112152-0",
"relates_to_product_reference": "9Base-RHOSE-4.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"cve": "CVE-2025-5994",
"cwe": {
"id": "CWE-349",
"name": "Acceptance of Extraneous Untrusted Data With Trusted Data"
},
"discovery_date": "2025-07-16T15:01:36.497027+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380949"
}
],
"notes": [
{
"category": "description",
"text": "A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unbound: Unbound Cache poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important rather than Moderate because it directly compromises the integrity of DNS caching mechanisms in resolvers supporting EDNS Client Subnet (ECS). The flaw allows an attacker to exploit the birthday paradox by generating a high volume of concurrent queries with different ECS values, thereby increasing the chance of a transaction ID collision with a spoofed response. If the resolver fails to properly segregate cache entries by ECS scope, it may accept and cache a malicious non-ECS response, effectively leading to DNS cache poisoning. Unlike typical poisoning attempts that require precise timing or privileged network positions, this attack can be carried out remotely with a high success rate, especially in resolvers that do not correctly isolate ECS queries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5994"
},
{
"category": "external",
"summary": "RHBZ#2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"release_date": "2025-07-16T14:38:22.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "unbound: Unbound Cache poisoning"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Paul Holzinger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-9566",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-04T15:45:46.448000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393152"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "podman: Podman kube play command may overwrite host files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having the Important severity. This happens because of the consequences of an successful attack and the low complexity (AC:L) on exploiting this vulnerability. Although the attacker cannot control the content written to the target file, depending on which file was targeted, the exploitation of this flaw may lead sensitive data corruption (I:H) and leading the system to crash resulting in a Denial of Service attack (A:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "RHBZ#2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89",
"url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw",
"url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
}
],
"release_date": "2025-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "workaround",
"details": "Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "podman: Podman kube play command may overwrite host files"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-22T05:09:35+00:00",
"details": "For OpenShift Container Platform 4.17 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.17 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.17:rhcos-aarch64-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-ppc64le-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-s390x-417.94.202510112152-0",
"9Base-RHOSE-4.17:rhcos-x86_64-417.94.202510112152-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
}
]
}
RHSA-2025:18219
Vulnerability from csaf_redhat - Published: 2025-10-16 08:41 - Updated: 2026-06-05 00:27Summary
Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.16.0
Severity
Important
Notes
Topic: cert-manager Operator for Red Hat OpenShift 1.16.0
Details: The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities
and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide
certificates-as-a-service to developers working within your Kubernetes cluster.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in CPython's tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter="data" or filter="tar" extraction filters.
7.6 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract() or TarFile.extractall() with the filter= parameter set to "data" or "tar".
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall() or TarFile.extract() methods with the extraction filter parameter set to "data" or "tar".
7.6 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — | ||
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — | ||
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — | ||
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Threats
Impact
Important
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 | — |
Workaround
|
|
| Unresolved product id: cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 | — |
Workaround
|
Threats
Impact
Important
References
69 references
Acknowledgments
ANSSI - French Cybersecurity Agency
Olivier BAL-PETRE
Google Project Zero
Sergei Glazunov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cert-manager Operator for Red Hat OpenShift 1.16.0",
"title": "Topic"
},
{
"category": "general",
"text": "The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities\nand certificates as first-class resource types in the Kubernetes API. This makes it possible to provide\ncertificates-as-a-service to developers working within your Kubernetes cluster.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:18219",
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-12718",
"url": "https://access.redhat.com/security/cve/CVE-2024-12718"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-4138",
"url": "https://access.redhat.com/security/cve/CVE-2025-4138"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-4517",
"url": "https://access.redhat.com/security/cve/CVE-2025-4517"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-49794",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-49796",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-5914",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6020",
"url": "https://access.redhat.com/security/cve/CVE-2025-6020"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6965",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-7425",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-8941",
"url": "https://access.redhat.com/security/cve/CVE-2025-8941"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html",
"url": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_18219.json"
}
],
"title": "Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.16.0",
"tracking": {
"current_release_date": "2026-06-05T00:27:28+00:00",
"generator": {
"date": "2026-06-05T00:27:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:18219",
"initial_release_date": "2025-10-16T08:41:21+00:00",
"revision_history": [
{
"date": "2025-10-16T08:41:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-16T08:41:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:27:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "cert-manager operator for Red Hat OpenShift 1.16",
"product": {
"name": "cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cert_manager:1.16::el9"
}
}
}
],
"category": "product_family",
"name": "cert-manager operator for Red Hat OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760515757"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760509690"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Aec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760515757"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760509690"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760515757"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760509690"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Adf852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760515757"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"product": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=v1.16.5-1760509690"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64 as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64 as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64 as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64 as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x as a component of cert-manager operator for Red Hat OpenShift 1.16",
"product_id": "cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
},
"product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x",
"relates_to_product_reference": "cert-manager operator for Red Hat OpenShift 1.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-12718",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-03T14:00:57.613538+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370013"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in CPython\u0027s tarfile module. This vulnerability allows modification of file metadata, such as timestamps or permissions, outside the intended extraction directory via maliciously crafted tar archives using the filter=\"data\" or filter=\"tar\" extraction filters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: python: Bypass extraction filter to modify file metadata outside extraction directory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The severity of this vulnerability was lowered due to the fact that successful exploitation requires the attacker to convince a privileged user or process to extract a malicious tar file. Since tar file extraction typically occurs in trusted contexts or with elevated privileges, the impact is reduced by the requirement of such access.\n\nVersions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as \u0027Not affected\u0027 as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-12718"
},
{
"category": "external",
"summary": "RHBZ#2370013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-12718",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-12718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12718"
},
{
"category": "external",
"summary": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/127987",
"url": "https://github.com/python/cpython/issues/127987"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/135034",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/135037",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
}
],
"release_date": "2025-06-03T12:59:10.908000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cpython: python: Bypass extraction filter to modify file metadata outside extraction directory"
},
{
"cve": "CVE-2025-4138",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-12T09:03:58.434950+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372426"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract() or TarFile.extractall() with the filter= parameter set to \"data\" or \"tar\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as \u0027Not affected\u0027 as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4138"
},
{
"category": "external",
"summary": "RHBZ#2372426",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372426"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4138"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4138",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4138"
},
{
"category": "external",
"summary": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/135034",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/135037",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
}
],
"release_date": "2025-06-03T12:59:02.717000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Red Hat recommends upgrading to a fixed release of Python as soon as one is available. This vulnerability can be mitigated by rejecting links inside tarfiles that use relative references to the parent directory. The upstream advisory provides this example code:\n\n\u0027\u0027\u0027\n# Avoid insecure segments in link names.\nfor member in tar.getmembers():\n if not member.islnk():\n continue\n if os.pardir in os.path.split(member.linkname):\n raise OSError(\"Tarfile with insecure segment (\u0027..\u0027) in linkname\")\n\n# Now safe to extract members with the data filter.\ntar.extractall(filter=\"data\")\n\u0027\u0027\u0027",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory"
},
{
"cve": "CVE-2025-4517",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-03T14:01:12.271192+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370016"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the CPython tarfile module. This vulnerability allows arbitrary filesystem writes outside the extraction directory via extracting untrusted tar archives using the TarFile.extractall() or TarFile.extract() methods with the extraction filter parameter set to \"data\" or \"tar\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: cpython: Arbitrary writes via tarfile realpath overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The severity of this vulnerability was lowered due to the fact that successful exploitation requires the attacker to convince a privileged user or process to extract a malicious tar file. Since tar file extraction typically occurs in trusted contexts or with elevated privileges, the impact is reduced by the requirement of such access.\n\nVersions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as \u0027Not affected\u0027 as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4517"
},
{
"category": "external",
"summary": "RHBZ#2370016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370016"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4517",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4517"
},
{
"category": "external",
"summary": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f",
"url": "https://gist.github.com/sethmlarson/52398e33eff261329a0180ac1d54f42f"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a",
"url": "https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a",
"url": "https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/issues/135034",
"url": "https://github.com/python/cpython/issues/135034"
},
{
"category": "external",
"summary": "https://github.com/python/cpython/pull/135037",
"url": "https://github.com/python/cpython/pull/135037"
},
{
"category": "external",
"summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/"
}
],
"release_date": "2025-06-03T12:58:50.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python: cpython: Arbitrary writes via tarfile realpath overflow"
},
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"acknowledgments": [
{
"names": [
"Olivier BAL-PETRE"
],
"organization": "ANSSI - French Cybersecurity Agency"
}
],
"cve": "CVE-2025-6020",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-12T16:33:01.214000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372512"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "linux-pam: Linux-pam directory Traversal",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in pam_namespace marked as Important rather than Moderate due to its direct impact on privilege boundaries and the ease of exploitation in common configurations. By leveraging symlink attacks or race conditions in polyinstantiated directories under their control, unprivileged local users can escalate to root, compromising the entire system. Since pam_namespace is often used in multi-user environments (e.g., shared systems, terminal servers, containers), a misconfigured or partially protected setup becomes a single point of failure. The attack does not require special capabilities or kernel-level exploits\u2014just timing and control over certain paths\u2014making it both reliable and low-barrier. Moreover, privilege escalation flaws like this can be chained with other vulnerabilities to persist or evade detection, further amplifying the risk.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6020"
},
{
"category": "external",
"summary": "RHBZ#2372512",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372512"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6020"
},
{
"category": "external",
"summary": "https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx",
"url": "https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx"
}
],
"release_date": "2025-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Disable the `pam_namespace` module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like `/tmp`.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "linux-pam: Linux-pam directory Traversal"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Sergei Glazunov"
],
"organization": "Google Project Zero"
}
],
"cve": "CVE-2025-7425",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2025-07-10T09:37:28.172000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This heap-use-after-free vulnerability in libxslt is rated Important because it can lead to memory corruption and application crashes. The flaw arises when internal attribute metadata (atype) is modified by libxslt\u0027s xsltSetSourceNodeFlags() function during processing of result tree fragments. If the flag corruption prevents proper removal of ID references, later memory cleanup routines may operate on already-freed memory. Since libxslt is commonly used in server-side XML processing, this could result in denial-of-service or potentially facilitate code execution under certain memory reuse conditions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "RHBZ#2379274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7425",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140"
}
],
"release_date": "2025-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr"
},
{
"cve": "CVE-2025-8941",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-08-13T12:11:55.270000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388220"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a \"complete\" fix for CVE-2025-6020.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "linux-pam: Incomplete fix for CVE-2025-6020",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in pam_namespace is rated Important because it allows a local, unprivileged user to escalate privileges to root by exploiting symlink attacks or race conditions in polyinstantiated directories under their control. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities. In multi-user environments\u2014such as shared systems, terminal servers, or certain container deployments, an unprotected or misconfigured pam_namespace configuration can serve as a single point of compromise. Privilege escalation flaws of this nature may also be chained with other vulnerabilities to maintain persistence or evade detection, further increasing the overall impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8941"
},
{
"category": "external",
"summary": "RHBZ#2388220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8941",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8941"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8941",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8941"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "Disable the `pam_namespace` module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like `/tmp`.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "linux-pam: Incomplete fix for CVE-2025-6020"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"known_not_affected": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-16T08:41:21+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:2b91440f3b71bc63e819a3def29e72b31f49878e03fbea67624de6a06925f340_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:691bfc535cb3d22962b0f6dc6fde226b3e70a5d68283ec1846396e3ee0fc7d07_s390x",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:768bd034b3d9e99e0a6c756fcd7d9ec00759c591569f25cd95cc8cb4eb449184_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:8c7a1ae39e07d9a0d578e1f62df4f05ab54cefe058595077403a9d9bbd0ce8e3_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b_amd64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:330e8b5ab4841a21f8f5f23cc7fb192197872f11639b12bf4b1e70831f636323_ppc64le",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:df852ad92734bc087e213e6c7075daf6d7010db4ab72919649736804e295a6a2_arm64",
"cert-manager operator for Red Hat OpenShift 1.16:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:ec9c6b34a40da29f3ee89b361d94879025a998d34309bf3b63c555f3c225eb16_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
}
]
}
RHSA-2025:18240
Vulnerability from csaf_redhat - Published: 2025-10-23 17:46 - Updated: 2026-06-03 17:13Summary
Red Hat Security Advisory: OpenShift Container Platform 4.13.61 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.13.61 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.61. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/155272
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes
Security Fix(es):
None
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
35 references
Acknowledgments
Red Hat
Paul Holzinger
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.13.61 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.13.61. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/155272\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nSecurity Fix(es):\n\nNone\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:18240",
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_18240.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.13.61 bug fix and security update",
"tracking": {
"current_release_date": "2026-06-03T17:13:12+00:00",
"generator": {
"date": "2026-06-03T17:13:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:18240",
"initial_release_date": "2025-10-23T17:46:13+00:00",
"revision_history": [
{
"date": "2025-10-23T17:46:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-23T17:46:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-03T17:13:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.13",
"product": {
"name": "Red Hat OpenShift Container Platform 4.13",
"product_id": "9Base-RHOSE-4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.13::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-x86_64-413.92.202510150118-0",
"product": {
"name": "rhcos-x86_64-413.92.202510150118-0",
"product_id": "rhcos-x86_64-413.92.202510150118-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@413.92.202510150118?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-x86_64-413.92.202510150118-0 as a component of Red Hat OpenShift Container Platform 4.13",
"product_id": "9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
},
"product_reference": "rhcos-x86_64-413.92.202510150118-0",
"relates_to_product_reference": "9Base-RHOSE-4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5994",
"cwe": {
"id": "CWE-349",
"name": "Acceptance of Extraneous Untrusted Data With Trusted Data"
},
"discovery_date": "2025-07-16T15:01:36.497027+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380949"
}
],
"notes": [
{
"category": "description",
"text": "A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unbound: Unbound Cache poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important rather than Moderate because it directly compromises the integrity of DNS caching mechanisms in resolvers supporting EDNS Client Subnet (ECS). The flaw allows an attacker to exploit the birthday paradox by generating a high volume of concurrent queries with different ECS values, thereby increasing the chance of a transaction ID collision with a spoofed response. If the resolver fails to properly segregate cache entries by ECS scope, it may accept and cache a malicious non-ECS response, effectively leading to DNS cache poisoning. Unlike typical poisoning attempts that require precise timing or privileged network positions, this attack can be carried out remotely with a high success rate, especially in resolvers that do not correctly isolate ECS queries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5994"
},
{
"category": "external",
"summary": "RHBZ#2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"release_date": "2025-07-16T14:38:22.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-23T17:46:13+00:00",
"details": "For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x86_64_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "unbound: Unbound Cache poisoning"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-23T17:46:13+00:00",
"details": "For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x86_64_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Paul Holzinger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-9566",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-04T15:45:46.448000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393152"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "podman: Podman kube play command may overwrite host files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having the Important severity. This happens because of the consequences of an successful attack and the low complexity (AC:L) on exploiting this vulnerability. Although the attacker cannot control the content written to the target file, depending on which file was targeted, the exploitation of this flaw may lead sensitive data corruption (I:H) and leading the system to crash resulting in a Denial of Service attack (A:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "RHBZ#2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89",
"url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw",
"url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
}
],
"release_date": "2025-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-23T17:46:13+00:00",
"details": "For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x86_64_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "workaround",
"details": "Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "podman: Podman kube play command may overwrite host files"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-23T17:46:13+00:00",
"details": "For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x86_64_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-23T17:46:13+00:00",
"details": "For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x86_64_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:18240"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.13:rhcos-x86_64-413.92.202510150118-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
}
]
}
RHSA-2025:19041
Vulnerability from csaf_redhat - Published: 2025-10-30 05:41 - Updated: 2026-06-05 00:27Summary
Red Hat Security Advisory: OpenShift Container Platform 4.14.58 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.14.58 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.14.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.14.58. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/155474
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/
Security Fix(es):
* libarchive: Double free at archive_read_format_rar_seek_data() in
archive_read_support_format_rar.c (CVE-2025-5914)
* unbound: Unbound Cache poisoning (CVE-2025-5994)
* sqlite: Integer Truncation in SQLite (CVE-2025-6965)
* podman: Podman kube play command may overwrite host files (CVE-2025-9566)
* libxml: Heap use after free (UAF) leads to Denial of service (DoS)
(CVE-2025-49794)
* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
All OpenShift Container Platform 4.14 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
8.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
42 references
Acknowledgments
Red Hat
Paul Holzinger
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.14.58 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\n This release includes a security update for Red Hat OpenShift Container\nPlatform 4.14.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.14.58. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/155474\n\nSpace precludes documenting all of the container images in this advisory.\nSee the following Release Notes documentation, which will be updated\nshortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nSecurity Fix(es):\n\n* libarchive: Double free at archive_read_format_rar_seek_data() in\narchive_read_support_format_rar.c (CVE-2025-5914)\n* unbound: Unbound Cache poisoning (CVE-2025-5994)\n* sqlite: Integer Truncation in SQLite (CVE-2025-6965)\n* podman: Podman kube play command may overwrite host files (CVE-2025-9566)\n* libxml: Heap use after free (UAF) leads to Denial of service (DoS)\n(CVE-2025-49794)\n* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:19041",
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_19041.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.14.58 bug fix and security update",
"tracking": {
"current_release_date": "2026-06-05T00:27:33+00:00",
"generator": {
"date": "2026-06-05T00:27:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:19041",
"initial_release_date": "2025-10-30T05:41:47+00:00",
"revision_history": [
{
"date": "2025-10-30T05:41:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-30T05:41:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:27:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.14",
"product": {
"name": "Red Hat OpenShift Container Platform 4.14",
"product_id": "9Base-RHOSE-4.14",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.14::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-aarch64-414.92.202510211419-0",
"product": {
"name": "rhcos-aarch64-414.92.202510211419-0",
"product_id": "rhcos-aarch64-414.92.202510211419-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@414.92.202510211419?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-ppc64le-414.92.202510211419-0",
"product": {
"name": "rhcos-ppc64le-414.92.202510211419-0",
"product_id": "rhcos-ppc64le-414.92.202510211419-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@414.92.202510211419?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-s390x-414.92.202510211419-0",
"product": {
"name": "rhcos-s390x-414.92.202510211419-0",
"product_id": "rhcos-s390x-414.92.202510211419-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@414.92.202510211419?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-x86_64-414.92.202510211419-0",
"product": {
"name": "rhcos-x86_64-414.92.202510211419-0",
"product_id": "rhcos-x86_64-414.92.202510211419-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@414.92.202510211419?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-aarch64-414.92.202510211419-0 as a component of Red Hat OpenShift Container Platform 4.14",
"product_id": "9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0"
},
"product_reference": "rhcos-aarch64-414.92.202510211419-0",
"relates_to_product_reference": "9Base-RHOSE-4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-ppc64le-414.92.202510211419-0 as a component of Red Hat OpenShift Container Platform 4.14",
"product_id": "9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0"
},
"product_reference": "rhcos-ppc64le-414.92.202510211419-0",
"relates_to_product_reference": "9Base-RHOSE-4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-s390x-414.92.202510211419-0 as a component of Red Hat OpenShift Container Platform 4.14",
"product_id": "9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0"
},
"product_reference": "rhcos-s390x-414.92.202510211419-0",
"relates_to_product_reference": "9Base-RHOSE-4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-x86_64-414.92.202510211419-0 as a component of Red Hat OpenShift Container Platform 4.14",
"product_id": "9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
},
"product_reference": "rhcos-x86_64-414.92.202510211419-0",
"relates_to_product_reference": "9Base-RHOSE-4.14"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"cve": "CVE-2025-5994",
"cwe": {
"id": "CWE-349",
"name": "Acceptance of Extraneous Untrusted Data With Trusted Data"
},
"discovery_date": "2025-07-16T15:01:36.497027+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380949"
}
],
"notes": [
{
"category": "description",
"text": "A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unbound: Unbound Cache poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important rather than Moderate because it directly compromises the integrity of DNS caching mechanisms in resolvers supporting EDNS Client Subnet (ECS). The flaw allows an attacker to exploit the birthday paradox by generating a high volume of concurrent queries with different ECS values, thereby increasing the chance of a transaction ID collision with a spoofed response. If the resolver fails to properly segregate cache entries by ECS scope, it may accept and cache a malicious non-ECS response, effectively leading to DNS cache poisoning. Unlike typical poisoning attempts that require precise timing or privileged network positions, this attack can be carried out remotely with a high success rate, especially in resolvers that do not correctly isolate ECS queries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5994"
},
{
"category": "external",
"summary": "RHBZ#2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"release_date": "2025-07-16T14:38:22.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "unbound: Unbound Cache poisoning"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Paul Holzinger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-9566",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-04T15:45:46.448000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393152"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "podman: Podman kube play command may overwrite host files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having the Important severity. This happens because of the consequences of an successful attack and the low complexity (AC:L) on exploiting this vulnerability. Although the attacker cannot control the content written to the target file, depending on which file was targeted, the exploitation of this flaw may lead sensitive data corruption (I:H) and leading the system to crash resulting in a Denial of Service attack (A:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "RHBZ#2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89",
"url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw",
"url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
}
],
"release_date": "2025-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "workaround",
"details": "Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "podman: Podman kube play command may overwrite host files"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-30T05:41:47+00:00",
"details": "For OpenShift Container Platform 4.14 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata\nfor x86_64, s390x, ppc64le, and aarch64 architectures. The image digests\nmay be found at\nhttps://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.14 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.14:rhcos-aarch64-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-ppc64le-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-s390x-414.92.202510211419-0",
"9Base-RHOSE-4.14:rhcos-x86_64-414.92.202510211419-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
}
]
}
RHSA-2025:19046
Vulnerability from csaf_redhat - Published: 2025-10-29 09:26 - Updated: 2026-06-05 00:27Summary
Red Hat Security Advisory: OpenShift Container Platform 4.18.27 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.18.27 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.18.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.18.27. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/155476
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/
Security Fix(es):
* libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c (CVE-2025-5914)
* unbound: Unbound Cache poisoning (CVE-2025-5994)
* sqlite: Integer Truncation in SQLite (CVE-2025-6965)
* podman: Podman kube play command may overwrite host files (CVE-2025-9566)
* libxml: Heap use after free (UAF) leads to Denial of service (DoS) (CVE-2025-49794)
* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
8.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
43 references
Acknowledgments
Red Hat
Paul Holzinger
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.18.27 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.18.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.18.27. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/155476\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nSecurity Fix(es):\n\n* libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c (CVE-2025-5914)\n* unbound: Unbound Cache poisoning (CVE-2025-5994)\n* sqlite: Integer Truncation in SQLite (CVE-2025-6965)\n* podman: Podman kube play command may overwrite host files (CVE-2025-9566)\n* libxml: Heap use after free (UAF) leads to Denial of service (DoS) (CVE-2025-49794)\n* libxml: Type confusion leads to Denial of service (DoS) (CVE-2025-49796)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc)\nor web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:19046",
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "OCPBUGS-62810",
"url": "https://issues.redhat.com/browse/OCPBUGS-62810"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_19046.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.18.27 bug fix and security update",
"tracking": {
"current_release_date": "2026-06-05T00:27:39+00:00",
"generator": {
"date": "2026-06-05T00:27:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:19046",
"initial_release_date": "2025-10-29T09:26:54+00:00",
"revision_history": [
{
"date": "2025-10-29T09:26:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-29T09:26:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:27:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.18",
"product": {
"name": "Red Hat OpenShift Container Platform 4.18",
"product_id": "9Base-RHOSE-4.18",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.18::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-aarch64-418.94.202510230424-0",
"product": {
"name": "rhcos-aarch64-418.94.202510230424-0",
"product_id": "rhcos-aarch64-418.94.202510230424-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@418.94.202510230424?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-ppc64le-418.94.202510230424-0",
"product": {
"name": "rhcos-ppc64le-418.94.202510230424-0",
"product_id": "rhcos-ppc64le-418.94.202510230424-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@418.94.202510230424?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-s390x-418.94.202510230424-0",
"product": {
"name": "rhcos-s390x-418.94.202510230424-0",
"product_id": "rhcos-s390x-418.94.202510230424-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@418.94.202510230424?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-x86_64-418.94.202510230424-0",
"product": {
"name": "rhcos-x86_64-418.94.202510230424-0",
"product_id": "rhcos-x86_64-418.94.202510230424-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@418.94.202510230424?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-aarch64-418.94.202510230424-0 as a component of Red Hat OpenShift Container Platform 4.18",
"product_id": "9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0"
},
"product_reference": "rhcos-aarch64-418.94.202510230424-0",
"relates_to_product_reference": "9Base-RHOSE-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-ppc64le-418.94.202510230424-0 as a component of Red Hat OpenShift Container Platform 4.18",
"product_id": "9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0"
},
"product_reference": "rhcos-ppc64le-418.94.202510230424-0",
"relates_to_product_reference": "9Base-RHOSE-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-s390x-418.94.202510230424-0 as a component of Red Hat OpenShift Container Platform 4.18",
"product_id": "9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0"
},
"product_reference": "rhcos-s390x-418.94.202510230424-0",
"relates_to_product_reference": "9Base-RHOSE-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-x86_64-418.94.202510230424-0 as a component of Red Hat OpenShift Container Platform 4.18",
"product_id": "9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
},
"product_reference": "rhcos-x86_64-418.94.202510230424-0",
"relates_to_product_reference": "9Base-RHOSE-4.18"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"cve": "CVE-2025-5994",
"cwe": {
"id": "CWE-349",
"name": "Acceptance of Extraneous Untrusted Data With Trusted Data"
},
"discovery_date": "2025-07-16T15:01:36.497027+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380949"
}
],
"notes": [
{
"category": "description",
"text": "A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unbound: Unbound Cache poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important rather than Moderate because it directly compromises the integrity of DNS caching mechanisms in resolvers supporting EDNS Client Subnet (ECS). The flaw allows an attacker to exploit the birthday paradox by generating a high volume of concurrent queries with different ECS values, thereby increasing the chance of a transaction ID collision with a spoofed response. If the resolver fails to properly segregate cache entries by ECS scope, it may accept and cache a malicious non-ECS response, effectively leading to DNS cache poisoning. Unlike typical poisoning attempts that require precise timing or privileged network positions, this attack can be carried out remotely with a high success rate, especially in resolvers that do not correctly isolate ECS queries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5994"
},
{
"category": "external",
"summary": "RHBZ#2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"release_date": "2025-07-16T14:38:22.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "unbound: Unbound Cache poisoning"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Paul Holzinger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-9566",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-04T15:45:46.448000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393152"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "podman: Podman kube play command may overwrite host files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having the Important severity. This happens because of the consequences of an successful attack and the low complexity (AC:L) on exploiting this vulnerability. Although the attacker cannot control the content written to the target file, depending on which file was targeted, the exploitation of this flaw may lead sensitive data corruption (I:H) and leading the system to crash resulting in a Denial of Service attack (A:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "RHBZ#2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89",
"url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw",
"url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
}
],
"release_date": "2025-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "workaround",
"details": "Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "podman: Podman kube play command may overwrite host files"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-29T09:26:54+00:00",
"details": "For OpenShift Container Platform 4.18 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/release_notes/\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\nThe sha values for the release are as follows:\n\n (For x86_64 architecture)\n The image digest is {x864_DIGEST}\n\n (For s390x architecture)\n The image digest is {s390x_DIGEST}\n\n (For ppc64le architecture)\n The image digest is {ppc64le_DIGEST}\n\n (For aarch64 architecture)\n The image digest is {aarch64_DIGEST}\n\nAll OpenShift Container Platform 4.18 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#updating-cluster-cli.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOSE-4.18:rhcos-aarch64-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-ppc64le-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-s390x-418.94.202510230424-0",
"9Base-RHOSE-4.18:rhcos-x86_64-418.94.202510230424-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
}
]
}
RHSA-2025:19894
Vulnerability from csaf_redhat - Published: 2025-11-13 09:46 - Updated: 2026-06-03 17:13Summary
Red Hat Security Advisory: OpenShift Container Platform 4.12.82 bug fix and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.12.82 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.12.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes
Security Fix(es):
None
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file. Binary-Affected: podman Upstream-version-introduced: v4.0.0 Upstream-version-fixed: v5.6.1
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in CUPS, a widely used printing service on Linux and UNIX-like systems. The issue arises when authentication is configured to use a method other than Basic, but the attacker sends an HTTP request with a Basic authentication header. Due to improper validation in the cupsdAuthorize() function, the password is not checked. This vulnerability allows attackers to bypass authentication entirely, resulting in unauthorized access to administrative functions and system configuration.
8.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
41 references
Acknowledgments
Red Hat
Paul Holzinger
Hristo Venev
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.12.82 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nSecurity Fix(es):\n\nNone\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:19894",
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "2392595",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392595"
},
{
"category": "external",
"summary": "2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_19894.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.12.82 bug fix and security update",
"tracking": {
"current_release_date": "2026-06-03T17:13:10+00:00",
"generator": {
"date": "2026-06-03T17:13:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:19894",
"initial_release_date": "2025-11-13T09:46:03+00:00",
"revision_history": [
{
"date": "2025-11-13T09:46:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-14T20:18:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-03T17:13:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.12",
"product": {
"name": "Red Hat OpenShift Container Platform 4.12",
"product_id": "8Base-RHOSE-4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhcos-x86_64-412.86.202510291903-0",
"product": {
"name": "rhcos-x86_64-412.86.202510291903-0",
"product_id": "rhcos-x86_64-412.86.202510291903-0",
"product_identification_helper": {
"purl": "pkg:generic/redhat/rhcos@412.86.202510291903?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhcos-x86_64-412.86.202510291903-0 as a component of Red Hat OpenShift Container Platform 4.12",
"product_id": "8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
},
"product_reference": "rhcos-x86_64-412.86.202510291903-0",
"relates_to_product_reference": "8Base-RHOSE-4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5994",
"cwe": {
"id": "CWE-349",
"name": "Acceptance of Extraneous Untrusted Data With Trusted Data"
},
"discovery_date": "2025-07-16T15:01:36.497027+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380949"
}
],
"notes": [
{
"category": "description",
"text": "A cache poisoning flaw was found in Unbound. Resolvers supporting EDNS Client Subnet (ECS) must segregate outgoing queries to accommodate different outgoing ECS information. This issue reopens resolvers to a birthday paradox attack, known as the Rebirthday Attack, which attempts to match the DNS transaction ID with cache non-ECS poisoned replies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unbound: Unbound Cache poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important rather than Moderate because it directly compromises the integrity of DNS caching mechanisms in resolvers supporting EDNS Client Subnet (ECS). The flaw allows an attacker to exploit the birthday paradox by generating a high volume of concurrent queries with different ECS values, thereby increasing the chance of a transaction ID collision with a spoofed response. If the resolver fails to properly segregate cache entries by ECS scope, it may accept and cache a malicious non-ECS response, effectively leading to DNS cache poisoning. Unlike typical poisoning attempts that require precise timing or privileged network positions, this attack can be carried out remotely with a high success rate, especially in resolvers that do not correctly isolate ECS queries.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5994"
},
{
"category": "external",
"summary": "RHBZ#2380949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5994"
},
{
"category": "external",
"summary": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"release_date": "2025-07-16T14:38:22.738000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "unbound: Unbound Cache poisoning"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Paul Holzinger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2025-9566",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-09-04T15:45:46.448000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393152"
}
],
"notes": [
{
"category": "description",
"text": "There\u0027s a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.\n\nBinary-Affected: podman\nUpstream-version-introduced: v4.0.0\nUpstream-version-fixed: v5.6.1",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "podman: Podman kube play command may overwrite host files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having the Important severity. This happens because of the consequences of an successful attack and the low complexity (AC:L) on exploiting this vulnerability. Although the attacker cannot control the content written to the target file, depending on which file was targeted, the exploitation of this flaw may lead sensitive data corruption (I:H) and leading the system to crash resulting in a Denial of Service attack (A:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9566"
},
{
"category": "external",
"summary": "RHBZ#2393152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9566"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89",
"url": "https://github.com/containers/podman/commit/43fbde4e665fe6cee6921868f04b7ccd3de5ad89"
},
{
"category": "external",
"summary": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw",
"url": "https://github.com/containers/podman/security/advisories/GHSA-wp3j-xq48-xpjw"
}
],
"release_date": "2025-09-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "Red Hat advises to not run the podman kube play command with untrusted Kubernetes YAML file as input, additionally review the Kubernetes YAML file before running it through podman may help to catch maliciously crafted secretes or volumes that may be used to exploit this vulnerability.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "podman: Podman kube play command may overwrite host files"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
},
{
"acknowledgments": [
{
"names": [
"Hristo Venev"
]
}
],
"cve": "CVE-2025-58060",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-09-02T12:06:54.304000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392595"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in CUPS, a widely used printing service on Linux and UNIX-like systems. The issue arises when authentication is configured to use a method other than Basic, but the attacker sends an HTTP request with a Basic authentication header. Due to improper validation in the cupsdAuthorize() function, the password is not checked. This vulnerability allows attackers to bypass authentication entirely, resulting in unauthorized access to administrative functions and system configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cups: Authentication Bypass in CUPS Authorization Handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has assessed the severity of this vulnerability as Important, given that it enables complete authentication bypass. Exploitation requires no valid credentials and can be performed remotely in some configurations. Attackers could gain administrative privileges in CUPS, modify critical configuration files, or potentially escalate their access further depending on the system environment. The root cause is a missing authentication check when the AuthType is set to values other than Basic but a Basic authorization header is supplied.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58060"
},
{
"category": "external",
"summary": "RHBZ#2392595",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392595"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58060"
},
{
"category": "external",
"summary": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq",
"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq"
}
],
"release_date": "2025-09-11T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-13T09:46:03+00:00",
"details": "For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes\n\nYou may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.\n\n The sha value for the release is as follows:\n\n (For x86_64 architecture)\n The image digest is sha256:d26fd3fd30ac6ae13f2779045d4e2defbf77aa24db5393d91df19488fd42504d\n\nAll OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:19894"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to a widespread installation base, or stability. It is strongly advised to apply vendor-supplied patches as soon as they are released to address this authentication bypass vulnerability.",
"product_ids": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.12:rhcos-x86_64-412.86.202510291903-0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cups: Authentication Bypass in CUPS Authorization Handling"
}
]
}
RHSA-2025:20936
Vulnerability from csaf_redhat - Published: 2025-11-11 14:06 - Updated: 2026-06-03 17:13Summary
Red Hat Security Advisory: sqlite security update
Severity
Important
Notes
Topic: An update for sqlite is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.
Security Fix(es):
* sqlite: Integer Truncation in SQLite (CVE-2025-6965)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
102 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for sqlite is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.\n\nSecurity Fix(es):\n\n* sqlite: Integer Truncation in SQLite (CVE-2025-6965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:20936",
"url": "https://access.redhat.com/errata/RHSA-2025:20936"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "RHEL-89962",
"url": "https://issues.redhat.com/browse/RHEL-89962"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_20936.json"
}
],
"title": "Red Hat Security Advisory: sqlite security update",
"tracking": {
"current_release_date": "2026-06-03T17:13:10+00:00",
"generator": {
"date": "2026-06-03T17:13:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:20936",
"initial_release_date": "2025-11-11T14:06:37+00:00",
"revision_history": [
{
"date": "2025-11-11T14:06:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-11T14:06:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-03T17:13:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9::baseos"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-devel@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debugsource@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/lemon-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-analyzer-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tcl-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tools-debuginfo@3.34.1-9.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"product": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"product_id": "sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs@3.34.1-9.el9_7?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-devel@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debugsource@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/lemon-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-analyzer-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tcl-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tools-debuginfo@3.34.1-9.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"product": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"product_id": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs@3.34.1-9.el9_7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-devel-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-devel-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-devel@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debugsource@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/lemon-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-analyzer-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tcl-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tools-debuginfo@3.34.1-9.el9_7?arch=i686"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-0:3.34.1-9.el9_7.i686",
"product": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.i686",
"product_id": "sqlite-libs-0:3.34.1-9.el9_7.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs@3.34.1-9.el9_7?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-devel@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debugsource@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/lemon-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-analyzer-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tcl-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tools-debuginfo@3.34.1-9.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"product": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"product_id": "sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs@3.34.1-9.el9_7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-devel-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-devel-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-devel@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debugsource@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/lemon-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-analyzer-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tcl-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-tools-debuginfo@3.34.1-9.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "sqlite-libs-0:3.34.1-9.el9_7.s390x",
"product": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.s390x",
"product_id": "sqlite-libs-0:3.34.1-9.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite-libs@3.34.1-9.el9_7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "sqlite-0:3.34.1-9.el9_7.src",
"product": {
"name": "sqlite-0:3.34.1-9.el9_7.src",
"product_id": "sqlite-0:3.34.1-9.el9_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/sqlite@3.34.1-9.el9_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.src",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.src as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.src",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-devel-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
},
"product_reference": "sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"relates_to_product_reference": "BaseOS-9.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-11T14:06:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:20936"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"AppStream-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:lemon-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.src",
"BaseOS-9.7.0.Z.MAIN:sqlite-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-analyzer-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-debugsource-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-devel-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-libs-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tcl-debuginfo-0:3.34.1-9.el9_7.x86_64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.aarch64",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.i686",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.ppc64le",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.s390x",
"BaseOS-9.7.0.Z.MAIN:sqlite-tools-debuginfo-0:3.34.1-9.el9_7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
}
]
}
RHSA-2025:21885
Vulnerability from csaf_redhat - Published: 2025-11-20 19:56 - Updated: 2026-06-05 00:27Summary
Red Hat Security Advisory: OpenShift Compliance Operator bug fix and enhancement update
Severity
Important
Notes
Topic: An updated OpenShift Compliance Operator image that fixes various bugs and adds new
enhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.
Details: The OpenShift Compliance Operator v1.8.0 is now available.
See the documentation for bug fix information:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/compliance-operator#compliance-operator-release-notes
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — | ||
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — | ||
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — | ||
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — | ||
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Threats
Impact
Important
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Workaround
|
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
Threats
Impact
Important
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
6.4 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
7.8 (High)
Affected products
Fixed
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 | — |
Workaround
|
Threats
Impact
Important
References
45 references
Acknowledgments
Google
Pedro Gallegos
Simon Scannell
Jasiel Spelman
ANSSI - French Cybersecurity Agency
Olivier BAL-PETRE
Antony Di Scala
Michael Whale
James Force
Google Project Zero
Sergei Glazunov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated OpenShift Compliance Operator image that fixes various bugs and adds new\nenhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.",
"title": "Topic"
},
{
"category": "general",
"text": "The OpenShift Compliance Operator v1.8.0 is now available.\nSee the documentation for bug fix information:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/compliance-operator#compliance-operator-release-notes",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:21885",
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-12085",
"url": "https://access.redhat.com/security/cve/CVE-2024-12085"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-5914",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6020",
"url": "https://access.redhat.com/security/cve/CVE-2025-6020"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6965",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-7195",
"url": "https://access.redhat.com/security/cve/CVE-2025-7195"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-7425",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-8941",
"url": "https://access.redhat.com/security/cve/CVE-2025-8941"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_21885.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Compliance Operator bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-05T00:27:40+00:00",
"generator": {
"date": "2026-06-05T00:27:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:21885",
"initial_release_date": "2025-11-20T19:56:52+00:00",
"revision_history": [
{
"date": "2025-11-20T19:56:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-20T19:57:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:27:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Compliance Operator 1",
"product": {
"name": "OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_compliance_operator:1::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Compliance Operator"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf?arch=s390x\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3Ad051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89?arch=s390x\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498?arch=s390x\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3A09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779?arch=s390x\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-operator-bundle@sha256%3A0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3Ac953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83?arch=arm64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779?arch=arm64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676?arch=arm64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3A06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049?arch=arm64\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3Ab282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"product": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3A8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64 as a component of OpenShift Compliance Operator 1",
"product_id": "OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64",
"relates_to_product_reference": "OpenShift Compliance Operator 1"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Pedro Gallegos",
"Simon Scannell",
"Jasiel Spelman"
],
"organization": "Google"
}
],
"cve": "CVE-2024-12085",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2024-12-05T12:06:36.594000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2330539"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rsync: Info Leak via Uninitialized Stack Contents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as having Important impact as it helps bypass Address Space Layout Randomization (ASLR). ASLR is a memory protection system which makes the exploitation of memory corruption vulnerabilities more difficult.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-12085"
},
{
"category": "external",
"summary": "RHBZ#2330539",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330539"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-12085",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12085"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-12085",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12085"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/952657",
"url": "https://kb.cert.org/vuls/id/952657"
}
],
"release_date": "2025-01-14T15:06:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "Seeing as this vulnerability relies on information leakage coming from the presence of data in the uninitialized memory of the `sum2` buffer, a potential mitigation involves compiling rsync with the `-ftrivial-auto-var-init=zero` option set. This mitigates the issue because it initializes the `sum2` variable\u0027s memory with zeroes to prevent uninitialized memory disclosure.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rsync: Info Leak via Uninitialized Stack Contents"
},
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"acknowledgments": [
{
"names": [
"Olivier BAL-PETRE"
],
"organization": "ANSSI - French Cybersecurity Agency"
}
],
"cve": "CVE-2025-6020",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-12T16:33:01.214000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372512"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "linux-pam: Linux-pam directory Traversal",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in pam_namespace marked as Important rather than Moderate due to its direct impact on privilege boundaries and the ease of exploitation in common configurations. By leveraging symlink attacks or race conditions in polyinstantiated directories under their control, unprivileged local users can escalate to root, compromising the entire system. Since pam_namespace is often used in multi-user environments (e.g., shared systems, terminal servers, containers), a misconfigured or partially protected setup becomes a single point of failure. The attack does not require special capabilities or kernel-level exploits\u2014just timing and control over certain paths\u2014making it both reliable and low-barrier. Moreover, privilege escalation flaws like this can be chained with other vulnerabilities to persist or evade detection, further amplifying the risk.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6020"
},
{
"category": "external",
"summary": "RHBZ#2372512",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372512"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6020"
},
{
"category": "external",
"summary": "https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx",
"url": "https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx"
}
],
"release_date": "2025-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "Disable the `pam_namespace` module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like `/tmp`.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "linux-pam: Linux-pam directory Traversal"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Antony Di Scala",
"Michael Whale",
"James Force"
]
}
],
"cve": "CVE-2025-7195",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2025-07-04T08:54:01.878000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2376300"
}
],
"notes": [
{
"category": "description",
"text": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. \n\nIn affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability as moderate severity for affected products which run on OpenShift. The vulnerability allows for potential privilege escalation within a container, but OpenShift\u0027s default, multi-layered security posture effectively mitigates this risk. \n\nThe primary controls include the default Security Context Constraints (SCC), which severely limit a container\u0027s permissions from the start, and SELinux, which enforces mandatory access control to ensure strict isolation. While other container runtime environments may have different controls available and require case-by-case analysis, OpenShift\u0027s built-in defenses are designed to prevent this type of attack.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7195"
},
{
"category": "external",
"summary": "RHBZ#2376300",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7195",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7195"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
}
],
"release_date": "2025-08-07T18:59:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability.\n\nSecurity Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. \n\nCapabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required.\n\nallowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities.\n\nSELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself.\n\nFilesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container\u0027s security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd"
},
{
"acknowledgments": [
{
"names": [
"Sergei Glazunov"
],
"organization": "Google Project Zero"
}
],
"cve": "CVE-2025-7425",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2025-07-10T09:37:28.172000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This heap-use-after-free vulnerability in libxslt is rated Important because it can lead to memory corruption and application crashes. The flaw arises when internal attribute metadata (atype) is modified by libxslt\u0027s xsltSetSourceNodeFlags() function during processing of result tree fragments. If the flag corruption prevents proper removal of ID references, later memory cleanup routines may operate on already-freed memory. Since libxslt is commonly used in server-side XML processing, this could result in denial-of-service or potentially facilitate code execution under certain memory reuse conditions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "RHBZ#2379274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7425",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140"
}
],
"release_date": "2025-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr"
},
{
"cve": "CVE-2025-8941",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-08-13T12:11:55.270000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388220"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a \"complete\" fix for CVE-2025-6020.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "linux-pam: Incomplete fix for CVE-2025-6020",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in pam_namespace is rated Important because it allows a local, unprivileged user to escalate privileges to root by exploiting symlink attacks or race conditions in polyinstantiated directories under their control. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities. In multi-user environments\u2014such as shared systems, terminal servers, or certain container deployments, an unprotected or misconfigured pam_namespace configuration can serve as a single point of compromise. Privilege escalation flaws of this nature may also be chained with other vulnerabilities to maintain persistence or evade detection, further increasing the overall impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64"
],
"known_not_affected": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8941"
},
{
"category": "external",
"summary": "RHBZ#2388220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8941",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8941"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8941",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8941"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T19:56:52+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"category": "workaround",
"details": "Disable the `pam_namespace` module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like `/tmp`.",
"product_ids": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:0642196267bef5bc68c20a5ee4d35c5dd139fbb00a905578a85cab5e220f445a_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:79554e96e4780fe3c219058a2d6408aa08dda31de091b7b7a647ed5f939e4712_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:7dfec9fbabaa748bbd91732ca5beebbd773306d5227a4f23af8fb0e444f0a779_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:d051f621dbcf4ec798b3782b8a49187852d1e352fd956131491288e36366dd89_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:6ab41bd207ae7e33f29adc87e208366472654bb5fb9b1854234cc5674ecc169e_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9131ef184c616ec8a2aee2781dfe0c083463a9bfbdfaf59028bd5f626a9eb676_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:09f37fa618a4e02460b28b1097148573b395354300db5f917ed155ab7968b779_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c953e9f9abf9cf25bf65bb3ffdc86ccf49b3e69a1cf3fbb47b6972e421fd6628_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:0bc0b7a20ce3c6303a45a699f44d2b90597b6a62846e89a5bca285b3228a9a52_amd64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02_ppc64le",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf_s390x",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83_arm64",
"OpenShift Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "linux-pam: Incomplete fix for CVE-2025-6020"
}
]
}
RHSA-2025:21913
Vulnerability from csaf_redhat - Published: 2025-11-21 21:19 - Updated: 2026-06-05 00:28Summary
Red Hat Security Advisory: OpenShift File Integrity Operator bug fix and enhancement update
Severity
Important
Notes
Topic: An updated OpenShift File Integrity Operator image that fixes various bugs and adds new
enhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.
Details: The OpenShift File Integrity Operator v1.3.7 is now available.
See the documentation for bug fix information:
https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-release-notes.html
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
7.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Threats
Impact
Important
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
7.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Workaround
|
Threats
Impact
Important
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
9.1 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
9.1 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in AIDE. This flaw allows an attacker to craft a malicious filename by including terminal escape sequences to hide the addition or removal of the file from the report and tamper with the log output. A local user may exploit this to bypass AIDE's detection of malicious files. Additionally, the output of extended attribute key names and symbolic links targets is also not properly neutralized.
7.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 | — |
Workaround
|
Threats
Impact
Important
References
40 references
Acknowledgments
Google Project Zero
Sergei Glazunov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated OpenShift File Integrity Operator image that fixes various bugs and adds new\nenhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.",
"title": "Topic"
},
{
"category": "general",
"text": "The OpenShift File Integrity Operator v1.3.7 is now available.\nSee the documentation for bug fix information:\n\nhttps://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-release-notes.html",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:21913",
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-49794",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-49796",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-54389",
"url": "https://access.redhat.com/security/cve/CVE-2025-54389"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-5914",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6965",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-7425",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_21913.json"
}
],
"title": "Red Hat Security Advisory: OpenShift File Integrity Operator bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-05T00:28:00+00:00",
"generator": {
"date": "2026-06-05T00:28:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:21913",
"initial_release_date": "2025-11-21T21:19:46+00:00",
"revision_history": [
{
"date": "2025-11-21T21:19:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-21T21:19:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-05T00:28:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift File Integrity Operator - FIO 1",
"product": {
"name": "OpenShift File Integrity Operator - FIO 1",
"product_id": "OpenShift File Integrity Operator - FIO 1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift File Integrity Operator - FIO"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"product_id": "registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-file-integrity-operator-bundle@sha256%3A7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64",
"product": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64",
"product_id": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-file-integrity-rhel8-operator@sha256%3A86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9?arch=amd64\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"product": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"product_id": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-file-integrity-rhel8-operator@sha256%3A364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"product": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"product_id": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-file-integrity-rhel8-operator@sha256%3A59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4?arch=s390x\u0026repository_url=registry.redhat.io/compliance"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64 as a component of OpenShift File Integrity Operator - FIO 1",
"product_id": "OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"relates_to_product_reference": "OpenShift File Integrity Operator - FIO 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le as a component of OpenShift File Integrity Operator - FIO 1",
"product_id": "OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le"
},
"product_reference": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"relates_to_product_reference": "OpenShift File Integrity Operator - FIO 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x as a component of OpenShift File Integrity Operator - FIO 1",
"product_id": "OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x"
},
"product_reference": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"relates_to_product_reference": "OpenShift File Integrity Operator - FIO 1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64 as a component of OpenShift File Integrity Operator - FIO 1",
"product_id": "OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
},
"product_reference": "registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64",
"relates_to_product_reference": "OpenShift File Integrity Operator - FIO 1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5914",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-06-06T17:58:25.491000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2370861"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has rated this vulnerability as Important because it allows a local attacker with limited privileges to trigger a double-free in libarchive\u0027s RAR parser by providing a specially crafted RAR archive. Successful exploitation could result in code execution or application crashes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"category": "external",
"summary": "RHBZ#2370861",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/pull/2598",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"category": "external",
"summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
}
],
"release_date": "2025-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libarchive: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"acknowledgments": [
{
"names": [
"Sergei Glazunov"
],
"organization": "Google Project Zero"
}
],
"cve": "CVE-2025-7425",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2025-07-10T09:37:28.172000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This heap-use-after-free vulnerability in libxslt is rated Important because it can lead to memory corruption and application crashes. The flaw arises when internal attribute metadata (atype) is modified by libxslt\u0027s xsltSetSourceNodeFlags() function during processing of result tree fragments. If the flag corruption prevents proper removal of ID references, later memory cleanup routines may operate on already-freed memory. Since libxslt is commonly used in server-side XML processing, this could result in denial-of-service or potentially facilitate code execution under certain memory reuse conditions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-7425"
},
{
"category": "external",
"summary": "RHBZ#2379274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-7425",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7425"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140"
}
],
"release_date": "2025-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxslt: libxml2: Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-06-11T21:33:43.044000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372373"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue was rated with a severity impact of Important by Red Hat Product Security, as libxml can be used to parse XML coming from the network depending on how the program consumes it and uses the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49794"
},
{
"category": "external",
"summary": "RHBZ#2372373",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/931"
}
],
"release_date": "2025-06-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix.",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Heap use after free (UAF) leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-06-12T00:35:26.470000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372385"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml: Type confusion leads to Denial of service (DoS)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49796"
},
{
"category": "external",
"summary": "RHBZ#2372385",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796"
},
{
"category": "external",
"summary": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/933"
}
],
"release_date": "2025-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "workaround",
"details": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libxml: Type confusion leads to Denial of service (DoS)"
},
{
"cve": "CVE-2025-54389",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2025-08-12T18:45:34.800000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388019"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in AIDE. This flaw allows an attacker to craft a malicious filename by including terminal escape sequences to hide the addition or removal of the file from the report and tamper with the log output. A local user may exploit this to bypass AIDE\u0027s detection of malicious files. Additionally, the output of extended attribute key names and symbolic links targets is also not properly neutralized.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "aide: improper output neutralization enables bypassing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"known_not_affected": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-54389"
},
{
"category": "external",
"summary": "RHBZ#2388019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388019"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-54389",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54389"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-54389",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54389"
}
],
"release_date": "2025-08-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-21T21:19:46+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"category": "workaround",
"details": "Currently, no mitigation is available for this vulnerability.",
"product_ids": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-operator-bundle@sha256:7520e7694e24b0de7e904f1833f9de1bd147eba17cda43aaece3a4df259e6a73_amd64",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605_ppc64le",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:59fcdf4ea159ba76fdb582011263672646dd9d63304a91592c0a21d0f43986a4_s390x",
"OpenShift File Integrity Operator - FIO 1:registry.redhat.io/compliance/openshift-file-integrity-rhel8-operator@sha256:86d2378dea6c26da92e19e1a8dc9c9fb0fa8587fd60f83e6cc4503153e753db9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "aide: improper output neutralization enables bypassing"
}
]
}
RHSA-2025:21994
Vulnerability from csaf_redhat - Published: 2025-11-24 19:34 - Updated: 2026-06-03 17:13Summary
Red Hat Security Advisory: A Subscription Management tool for finding and reporting Red Hat product usage
Severity
Important
Notes
Topic: A Subscription Management tool for finding and reporting Red Hat product usage
Details: Red Hat Discovery, also known as Discovery, is an inspection and reporting tool that finds,
identifies, and reports environment data, or facts, such as the number of physical and virtual
systems on a network, their operating systems, and relevant configuration data stored within
them. Discovery also identifies and reports more detailed facts for some versions of key
Red Hat packages and products that it finds in the network.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — | ||
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Threats
Impact
Moderate
A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — | ||
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Threats
Impact
Moderate
A flaw was found in shadow-utils. Affected versions of shadow-utils establish a default /etc/subuid behavior, for example, uid 100000 through 165535 for the first user account, that can conflict with the uids of users defined on locally administered networks. This issue potentially leads to account takeover by leveraging newuidmap for access to an NFS home directory or same-host resources for remote logins by these local network users.
CWE-1188 - Initialization of a Resource with an Insecure DefaultAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in libtiff. The `get_histogram` function in `file/tiffmedian.c` exhibits a use-after-free condition when processing a specially crafted file, allowing a local attacker to trigger memory corruption. This manipulation results in a use-after-free vulnerability, and can lead to a denial of service.
7.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability was found in BIND 9 resolvers, where processing malformed DNSKEY records from a specially crafted zone can lead to resource exhaustion, primarily causing excessive CPU utilization. This issue enables a remote, unauthenticated attacker to degrade resolver performance and potentially cause a denial of service (DoS) for legitimate DNS clients.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).
5.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability exists in BIND’s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.
8.6 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver’s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction.
8.6 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Important
A path traversal flaw was found in Vim. Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive.
4.1 (Medium)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Moderate
A path traversal flaw was found in Vim. Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive.
4.1 (Medium)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 | — |
Workaround
|
Threats
Impact
Moderate
References
87 references
Acknowledgments
AnchorSec Ltd.
Gareth C
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A Subscription Management tool for finding and reporting Red Hat product usage",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Discovery, also known as Discovery, is an inspection and reporting tool that finds,\nidentifies, and reports environment data, or facts, such as the number of physical and virtual\nsystems on a network, their operating systems, and relevant configuration data stored within\nthem. Discovery also identifies and reports more detailed facts for some versions of key\nRed Hat packages and products that it finds in the network.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:21994",
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-52355",
"url": "https://access.redhat.com/security/cve/CVE-2023-52355"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-52356",
"url": "https://access.redhat.com/security/cve/CVE-2023-52356"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-56433",
"url": "https://access.redhat.com/security/cve/CVE-2024-56433"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-40778",
"url": "https://access.redhat.com/security/cve/CVE-2025-40778"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-40780",
"url": "https://access.redhat.com/security/cve/CVE-2025-40780"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-53905",
"url": "https://access.redhat.com/security/cve/CVE-2025-53905"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-53906",
"url": "https://access.redhat.com/security/cve/CVE-2025-53906"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-6965",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-8176",
"url": "https://access.redhat.com/security/cve/CVE-2025-8176"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-8677",
"url": "https://access.redhat.com/security/cve/CVE-2025-8677"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9230",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-9900",
"url": "https://access.redhat.com/security/cve/CVE-2025-9900"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/subscription_central/1-latest/#Discovery",
"url": "https://docs.redhat.com/en/documentation/subscription_central/1-latest/#Discovery"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_21994.json"
}
],
"title": "Red Hat Security Advisory: A Subscription Management tool for finding and reporting Red Hat product usage",
"tracking": {
"current_release_date": "2026-06-03T17:13:11+00:00",
"generator": {
"date": "2026-06-03T17:13:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:21994",
"initial_release_date": "2025-11-24T19:34:28+00:00",
"revision_history": [
{
"date": "2025-11-24T19:34:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-24T19:34:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-03T17:13:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Discovery 2",
"product": {
"name": "Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:discovery:2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Discovery"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"product": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"product_id": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-server-rhel9@sha256%3A97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503?arch=amd64\u0026repository_url=registry.redhat.io/discovery\u0026tag=2.4.0-1763596485"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64",
"product": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64",
"product_id": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-ui-rhel9@sha256%3A69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57?arch=amd64\u0026repository_url=registry.redhat.io/discovery\u0026tag=2.4.0-1763656152"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"product": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"product_id": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-server-rhel9@sha256%3Ab4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3?arch=arm64\u0026repository_url=registry.redhat.io/discovery\u0026tag=2.4.0-1763596485"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"product": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"product_id": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"product_identification_helper": {
"purl": "pkg:oci/discovery-ui-rhel9@sha256%3A310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740?arch=arm64\u0026repository_url=registry.redhat.io/discovery\u0026tag=2.4.0-1763656152"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64"
},
"product_reference": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
},
"product_reference": "registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64"
},
"product_reference": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"relates_to_product_reference": "Red Hat Discovery 2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64 as a component of Red Hat Discovery 2",
"product_id": "Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
},
"product_reference": "registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64",
"relates_to_product_reference": "Red Hat Discovery 2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-52355",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2023-11-24T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2251326"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libtiff: TIFFRasterScanlineSize64 produce too-big size and could cause OOM",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The identified out-of-memory vulnerability in libtiff, triggered by a crafted TIFF file passed to the TIFFRasterScanlineSize64() API, presents a moderate severity concern rather than a important one due to several factors. Primarily, the exploit requires the crafted input to be smaller than 379 KB, imposing a limitation on the potential impact and reducing the likelihood of successful exploitation in practical scenarios. Furthermore, the nature of the vulnerability is limited to denial-of-service attacks, which, although disruptive, do not inherently pose a direct risk of data compromise or system compromise. However, it\u0027s important to acknowledge that denial-of-service attacks can still have significant operational implications, particularly in environments reliant on continuous availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-52355"
},
{
"category": "external",
"summary": "RHBZ#2251326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-52355",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52355"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/issues/621",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/621"
}
],
"release_date": "2023-11-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libtiff: TIFFRasterScanlineSize64 produce too-big size and could cause OOM"
},
{
"cve": "CVE-2023-52356",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2023-11-24T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2251344"
}
],
"notes": [
{
"category": "description",
"text": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libtiff: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The flaw allows an attacker to potentially cause a denial of service attack by crashing a program, but the impact is minimal.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-52356"
},
{
"category": "external",
"summary": "RHBZ#2251344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-52356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52356"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52356",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52356"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/issues/622",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/622"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/merge_requests/546",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/546"
}
],
"release_date": "2023-11-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libtiff: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service"
},
{
"cve": "CVE-2024-56433",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2024-12-26T09:00:54.065197+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2334165"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in shadow-utils. Affected versions of shadow-utils establish a default /etc/subuid behavior, for example, uid 100000 through 165535 for the first user account, that can conflict with the uids of users defined on locally administered networks. This issue potentially leads to account takeover by leveraging newuidmap for access to an NFS home directory or same-host resources for remote logins by these local network users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-56433"
},
{
"category": "external",
"summary": "RHBZ#2334165",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334165"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-56433",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56433"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56433",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56433"
},
{
"category": "external",
"summary": "https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241",
"url": "https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241"
},
{
"category": "external",
"summary": "https://github.com/shadow-maint/shadow/issues/1157",
"url": "https://github.com/shadow-maint/shadow/issues/1157"
},
{
"category": "external",
"summary": "https://github.com/shadow-maint/shadow/releases/tag/4.4",
"url": "https://github.com/shadow-maint/shadow/releases/tag/4.4"
}
],
"release_date": "2024-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "shadow-utils: Default subordinate ID configuration in /etc/login.defs could lead to compromise"
},
{
"cve": "CVE-2025-6965",
"cwe": {
"id": "CWE-197",
"name": "Numeric Truncation Error"
},
"discovery_date": "2025-07-15T14:02:19.241458+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380149"
}
],
"notes": [
{
"category": "description",
"text": "A memory corruption flaw was found in SQLite. Under specific conditions a query can be generated where the number of aggregate terms could exceed the number of columns available. This issue could lead to memory corruption and subsequent unintended behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sqlite: Integer Truncation in SQLite",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in SQLite is categorized as Important rather than Critical because, although it involves memory corruption, the conditions required to trigger it are relatively constrained. The flaw arises when a query causes the number of aggregate terms to exceed internal limits, leading to potential buffer overflows or memory mismanagement. However, exploitation requires the ability to craft complex SQL queries and interact with the SQLite engine in a specific manner\u2014typically through direct SQL input. There is no known evidence of arbitrary code execution, privilege escalation, or remote exploitability as a direct result of this flaw. Additionally, most SQLite deployments are embedded in applications where input is tightly controlled or sanitized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-6965"
},
{
"category": "external",
"summary": "RHBZ#2380149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6965"
},
{
"category": "external",
"summary": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"
},
{
"category": "external",
"summary": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8",
"url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8"
}
],
"release_date": "2025-07-15T13:44:00.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "sqlite: Integer Truncation in SQLite"
},
{
"cve": "CVE-2025-8176",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"discovery_date": "2025-07-26T04:00:56.216434+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2383598"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libtiff. The `get_histogram` function in `file/tiffmedian.c` exhibits a use-after-free condition when processing a specially crafted file, allowing a local attacker to trigger memory corruption. This manipulation results in a use-after-free vulnerability, and can lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libtiff: LibTIFF Use-After-Free Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has been rated Important because it involves a use-after-free flaw in the get_histogram function of LibTIFF\u2019s tiffmedian tool. Successful exploitation may allow a local attacker to execute arbitrary code or cause a denial of service, leading to loss of confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8176"
},
{
"category": "external",
"summary": "RHBZ#2383598",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383598"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8176"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8176",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8176"
},
{
"category": "external",
"summary": "http://www.libtiff.org/",
"url": "http://www.libtiff.org/"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172",
"url": "https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/issues/707",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/707"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/merge_requests/727",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/727"
},
{
"category": "external",
"summary": "https://vuldb.com/?ctiid.317590",
"url": "https://vuldb.com/?ctiid.317590"
},
{
"category": "external",
"summary": "https://vuldb.com/?id.317590",
"url": "https://vuldb.com/?id.317590"
},
{
"category": "external",
"summary": "https://vuldb.com/?submit.621796",
"url": "https://vuldb.com/?submit.621796"
}
],
"release_date": "2025-07-26T03:32:08.851000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libtiff: LibTIFF Use-After-Free Vulnerability"
},
{
"cve": "CVE-2025-8677",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-10-22T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405830"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in BIND 9 resolvers, where processing malformed DNSKEY records from a specially crafted zone can lead to resource exhaustion, primarily causing excessive CPU utilization. This issue enables a remote, unauthenticated attacker to degrade resolver performance and potentially cause a denial of service (DoS) for legitimate DNS clients.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bind: Resource exhaustion via malformed DNSKEY handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is considered Important because it allows a remote, unauthenticated attacker to cause significant CPU exhaustion on vulnerable BIND resolvers by serving zones containing malformed DNSKEY records. The flaw triggers excessive computational effort during DNSKEY validation, leading to degraded performance and potential denial of service for legitimate clients. However, the issue affects availability only\u2014it does not enable code execution, data exposure, or privilege escalation\u2014so it is not classified as critical. Furthermore, authoritative servers are not impacted, limiting the scope of exposure to recursive resolvers. While the attack is easy to launch and can disrupt DNS operations, its effect ceases once the malicious traffic stops, making prompt patching and recursive access control effective mitigations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-8677"
},
{
"category": "external",
"summary": "RHBZ#2405830",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405830"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-8677",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8677"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8677",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8677"
}
],
"release_date": "2025-10-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "bind: Resource exhaustion via malformed DNSKEY handling"
},
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2025-09-17T12:15:34.387000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396054"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability was rated as Moderate because, while the potential impact includes an application level denial of service and possible arbitrary code execution, successful exploitation is considered unlikely due to the high attack complexity and the fact that password-based CMS encryption (PWRI) is rarely used in real-world deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9230"
},
{
"category": "external",
"summary": "RHBZ#2396054",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396054"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230"
}
],
"release_date": "2025-09-30T23:59:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap"
},
{
"acknowledgments": [
{
"names": [
"Gareth C"
],
"organization": "AnchorSec Ltd."
}
],
"cve": "CVE-2025-9900",
"cwe": {
"id": "CWE-123",
"name": "Write-what-where Condition"
},
"discovery_date": "2025-09-03T02:48:12.111000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392784"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Libtiff. This vulnerability is a \"write-what-where\" condition, triggered when the library processes a specially crafted TIFF image file.\n\nBy providing an abnormally large image height value in the file\u0027s metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libtiff: Libtiff Write-What-Where",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This attack requires user interaction to run the malicious TIFF image file, hence the CVE is maintained as important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9900"
},
{
"category": "external",
"summary": "RHBZ#2392784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9900",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9900"
},
{
"category": "external",
"summary": "https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file",
"url": "https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/issues/704",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/704"
},
{
"category": "external",
"summary": "https://gitlab.com/libtiff/libtiff/-/merge_requests/732",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/732"
},
{
"category": "external",
"summary": "https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html",
"url": "https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html"
}
],
"release_date": "2025-09-22T14:29:35.767000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "libtiff: Libtiff Write-What-Where"
},
{
"cve": "CVE-2025-40778",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2025-10-22T15:07:23.729000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405827"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability exists in BIND\u2019s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bind: Cache poisoning attacks with unsolicited RRs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "It is classified as Important rather than Critical because its impact is limited to cache poisoning within recursive resolvers and does not allow direct code execution, privilege escalation, or service disruption. The vulnerability affects the accuracy of DNS responses, but not the availability or confidentiality of systems. Additionally, DNSSEC-enabled deployments and restricted recursive access can significantly mitigate exploitation risks. Therefore, while the flaw can misdirect network traffic and compromise trust in name resolution, it does not directly compromise the underlying server or client systems, justifying an Important \u2014 but not Critical \u2014 severity rating.\n\nTechnical Analysis:\nThe issue arises because BIND fails to strictly validate unsolicited resource records accompanying legitimate DNS responses. This gap allows forged recursive resolvers to be cached as valid entries. Since the attack is remote, requires no authentication, and exploits a low-complexity vector, it is highly impactful in recursive resolver environments\u2014especially those exposed to untrusted clients or open resolvers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-40778"
},
{
"category": "external",
"summary": "RHBZ#2405827",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405827"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-40778",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40778"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-40778",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40778"
}
],
"release_date": "2025-10-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "While it is not possible to eliminate risk from this vulnerability, there are several options for reducing the risk. These include restricting recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "bind: Cache poisoning attacks with unsolicited RRs"
},
{
"cve": "CVE-2025-40780",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2025-10-22T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405829"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver\u2019s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bind: Cache poisoning due to weak PRNG",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in BIND 9 resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG) used to select the UDP source port and DNS query (transaction) ID. Exploitation requires an attacker to correctly predict both values and race the legitimate authoritative response with a spoofed packet to perform cache poisoning. While the PRNG weakness reduces entropy and makes prediction feasible under certain conditions, this still requires precise timing, on-path or spoofing capabilities, and targeting of recursive resolvers.\n\nThe impact is limited to resolver cache integrity; it does not allow remote code execution, privilege escalation, or direct compromise of the BIND server itself. Authoritative servers are not affected. Additionally, operational mitigations such as DNSSEC validation, access control restricting recursion, and network-level packet filtering reduce real-world exploitability. No active exploits have been observed in the wild.\n\nBecause exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered Important rather than Critical.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-40780"
},
{
"category": "external",
"summary": "RHBZ#2405829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-40780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40780"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-40780",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40780"
}
],
"release_date": "2025-10-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "bind: Cache poisoning due to weak PRNG"
},
{
"cve": "CVE-2025-53905",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-07-15T21:01:19.770241+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380362"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal flaw was found in Vim. Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim path traversial",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53905"
},
{
"category": "external",
"summary": "RHBZ#2380362",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380362"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53905"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239",
"url": "https://github.com/vim/vim/commit/87757c6b0a4b2c1f71c72ea8e1438b8fb116b239"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr",
"url": "https://github.com/vim/vim/security/advisories/GHSA-74v4-f3x9-ppvr"
}
],
"release_date": "2025-07-15T20:48:34.764000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim path traversial"
},
{
"cve": "CVE-2025-53906",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-07-15T21:01:15.057182+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2380360"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal flaw was found in Vim. Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vim: Vim path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"known_not_affected": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53906"
},
{
"category": "external",
"summary": "RHBZ#2380360",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380360"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53906"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8",
"url": "https://github.com/vim/vim/commit/586294a04179d855c3d1d4ee5ea83931963680b8"
},
{
"category": "external",
"summary": "https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86",
"url": "https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86"
}
],
"release_date": "2025-07-15T20:52:40.137000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-24T19:34:28+00:00",
"details": "The containers required to run Discovery can be installed through discovery-installer\nRPM. See the official documentation for more details.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:97a1bb076f7f29a5f2b80c4724cb27c4e87f89c2d73a7719c44dc8c044329503_amd64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-server-rhel9@sha256:b4683720677a1e45efbfd291d8b130b530642221e8a55a49e931e1b8b2c81ac3_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740_arm64",
"Red Hat Discovery 2:registry.redhat.io/discovery/discovery-ui-rhel9@sha256:69cb9c84b806ee2f448bdbbcf3174855432f5caec8f31ca2a345655da4a72f57_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "vim: Vim path traversal"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…