Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32281 (GCVE-0-2026-32281)
Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-13 18:19
VLAI
EPSS
Title
Inefficient policy validation in crypto/x509
Summary
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | crypto/x509 |
Affected:
0 , < 1.25.9
(semver)
Affected: 1.26.0-0 , < 1.26.2 (semver) |
Credits
Jakub Ciolek - https://ciolek.dev
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:52:37.734298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:19:44.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/x509",
"product": "crypto/x509",
"programRoutines": [
{
"name": "policiesValid"
},
{
"name": "Certificate.Verify"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.2",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek - https://ciolek.dev"
}
],
"descriptions": [
{
"lang": "en",
"value": "Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T01:06:58.354Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/758061"
},
{
"url": "https://go.dev/issue/78281"
},
{
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"title": "Inefficient policy validation in crypto/x509"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-32281",
"datePublished": "2026-04-08T01:06:58.354Z",
"dateReserved": "2026-03-11T16:38:46.556Z",
"dateUpdated": "2026-04-13T18:19:44.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32281",
"date": "2026-06-30",
"epss": "0.00349",
"percentile": "0.26767"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32281\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2026-04-08T02:16:03.350\",\"lastModified\":\"2026-06-17T10:35:28.980\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.\"}],\"affected\":[{\"source\":\"security@golang.org\",\"affectedData\":[{\"vendor\":\"Go standard library\",\"product\":\"crypto/x509\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pkg.go.dev\",\"packageName\":\"crypto/x509\",\"programRoutines\":[{\"name\":\"policiesValid\"},{\"name\":\"Certificate.Verify\"}],\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.25.9\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"1.26.0-0\",\"lessThan\":\"1.26.2\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-13T17:52:37.734298Z\",\"id\":\"CVE-2026-32281\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.9\",\"matchCriteriaId\":\"C6C9C072-9817-402D-877F-F83584B07017\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.26.0\",\"versionEndExcluding\":\"1.26.2\",\"matchCriteriaId\":\"39FE9BAF-55E9-43AA-B14E-239E7EF1D65D\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/758061\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/78281\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\",\"source\":\"security@golang.org\",\"tags\":[\"Issue Tracking\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2026-4946\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32281\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T17:52:37.734298Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T17:52:33.394Z\"}}], \"cna\": {\"title\": \"Inefficient policy validation in crypto/x509\", \"credits\": [{\"lang\": \"en\", \"value\": \"Jakub Ciolek - https://ciolek.dev\"}], \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"crypto/x509\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.25.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.26.0-0\", \"lessThan\": \"1.26.2\", \"versionType\": \"semver\"}], \"packageName\": \"crypto/x509\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"policiesValid\"}, {\"name\": \"Certificate.Verify\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/758061\"}, {\"url\": \"https://go.dev/issue/78281\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2026-4946\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2026-04-08T01:06:58.354Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32281\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T18:19:44.779Z\", \"dateReserved\": \"2026-03-11T16:38:46.556Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2026-04-08T01:06:58.354Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:24716
Vulnerability from csaf_redhat - Published: 2026-06-09 07:07 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: yggdrasil security update
Severity
Important
Notes
Topic: An update for yggdrasil is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child "worker" process, exchanging data with its worker processes through a D-Bus message broker.
Security Fix(es):
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for yggdrasil is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "yggdrasil is a system daemon that subscribes to topics on an MQTT broker and routes any data received on the topics to an appropriate child \"worker\" process, exchanging data with its worker processes through a D-Bus message broker.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:24716",
"url": "https://access.redhat.com/errata/RHSA-2026:24716"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24716.json"
}
],
"title": "Red Hat Security Advisory: yggdrasil security update",
"tracking": {
"current_release_date": "2026-06-30T17:10:47+00:00",
"generator": {
"date": "2026-06-30T17:10:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:24716",
"initial_release_date": "2026-06-09T07:07:40+00:00",
"revision_history": [
{
"date": "2026-06-09T07:07:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-09T07:07:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "yggdrasil-0:0.4.9-5.el10_2.src",
"product": {
"name": "yggdrasil-0:0.4.9-5.el10_2.src",
"product_id": "yggdrasil-0:0.4.9-5.el10_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil@0.4.9-5.el10_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "yggdrasil-0:0.4.9-5.el10_2.aarch64",
"product": {
"name": "yggdrasil-0:0.4.9-5.el10_2.aarch64",
"product_id": "yggdrasil-0:0.4.9-5.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil@0.4.9-5.el10_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"product": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"product_id": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debugsource@0.4.9-5.el10_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product_id": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debuginfo@0.4.9-5.el10_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product_id": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-examples-debuginfo@0.4.9-5.el10_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"product": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"product_id": "yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-devel@0.4.9-5.el10_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"product": {
"name": "yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"product_id": "yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil@0.4.9-5.el10_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"product": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"product_id": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debugsource@0.4.9-5.el10_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product_id": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debuginfo@0.4.9-5.el10_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product_id": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-examples-debuginfo@0.4.9-5.el10_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"product": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"product_id": "yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-devel@0.4.9-5.el10_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "yggdrasil-0:0.4.9-5.el10_2.s390x",
"product": {
"name": "yggdrasil-0:0.4.9-5.el10_2.s390x",
"product_id": "yggdrasil-0:0.4.9-5.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil@0.4.9-5.el10_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"product": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"product_id": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debugsource@0.4.9-5.el10_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"product": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"product_id": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debuginfo@0.4.9-5.el10_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"product": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"product_id": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-examples-debuginfo@0.4.9-5.el10_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"product": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"product_id": "yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-devel@0.4.9-5.el10_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "yggdrasil-0:0.4.9-5.el10_2.x86_64",
"product": {
"name": "yggdrasil-0:0.4.9-5.el10_2.x86_64",
"product_id": "yggdrasil-0:0.4.9-5.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil@0.4.9-5.el10_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"product": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"product_id": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debugsource@0.4.9-5.el10_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product_id": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-debuginfo@0.4.9-5.el10_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product_id": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-examples-debuginfo@0.4.9-5.el10_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"product": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"product_id": "yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/yggdrasil-devel@0.4.9-5.el10_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-0:0.4.9-5.el10_2.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src"
},
"product_reference": "yggdrasil-0:0.4.9-5.el10_2.src",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-devel-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"relates_to_product_reference": "CRB-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"product_id": "CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
},
"product_reference": "yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"relates_to_product_reference": "CRB-10.2.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T07:07:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24716"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T07:07:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24716"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T07:07:40+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24716"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.src",
"AppStream-10.2.Z:yggdrasil-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"AppStream-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debuginfo-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-debugsource-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-devel-0:0.4.9-5.el10_2.x86_64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.aarch64",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.ppc64le",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.s390x",
"CRB-10.2.Z:yggdrasil-examples-debuginfo-0:0.4.9-5.el10_2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
}
]
}
RHSA-2026:25089
Vulnerability from csaf_redhat - Published: 2026-06-10 15:39 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 Release and security update.
Severity
Important
Notes
Topic: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
* spring boot: Remote code execution via timing attack in DevTools remote secret comparison [CVE-2026-40972]
* axios: Invisible JSON Response Tampering via Prototype Pollution Gadget [CVE-2026-42044]
* spring-boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory [CVE-2026-40973]
* io.hawt-project: fast-uri: Path traversal vulnerability allows bypass of security policies [CVE-2026-6321]
* axios: Authentication bypass due to prototype pollution of HTTP error handling [CVE-2026-42041]
* axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data [CVE-2026-42039]
* axios: NO_PROXY bypass via crafted URL [CVE-2026-42043]
* axios: HTTP Transport Hijacking via Prototype Pollution [CVE-2026-42033]
* spring-boot: Weak pseudo-random number generation can lead to information disclosure. [CVE-2026-40975]
* io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests [CVE-2026-39852]
* jetty-ee10-webapp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]
* jetty-ee10-servlet: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]
* spring-boot: Authentication bypass via misconfigured Health Group additional path [CVE-2026-22731]
* jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests [CVE-2026-1605]
* vertx-core: static handler component cache can be manipulated to deny the access to static files [CVE-2026-1002]
* io.hawt-project: prototype pollution in _.unset and _.omit functions [CVE-2025-13465]
* hawtio-operator-container: golang: Denial of Service due to excessive resource consumption via crafted certificate [CVE-2025-61729]
* hawtio-operator-container: Memory exhaustion in query parameter parsing in net/url [CVE-2025-61726]
* axios:Arbitrary HTTP header injection via prototype pollution [CVE-2026-42035]
* jetty-http: HTTP request smuggling via chunked extension quoted-string parsing [CVE-2026-2332]
* hawtio-operator-container: Go: Denial of Service vulnerability in certificate chain building [CVE-2026-32280]
* hawtio-operator-container: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [CVE-2026-33810]
* hawtio-operator-container: Go crypto/x509: Denial of Service via inefficient certificate chain validation [CVE-2026-32281]
* hawtio-operator-container: Root.Chmod can follow symlinks out of the root [CVE-2026-32282]
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. The `JASPIAuthenticator` class is responsible for handling authentication checks. During these checks, the class sets two ThreadLocal variables to store authentication state. Under certain conditions, the authentication process can return early without properly clearing the ThreadLocal variables, allowing a subsequent request to inherit the un-cleared ThreadLocal values. This issue can cause broken access control, authentication bypass, privilege escalation and data breaches.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Spring Boot. This vulnerability, an authentication bypass, occurs when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to sensitive application endpoints. This could lead to information disclosure or unauthorized actions.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected endpoints. The vulnerability arises because Quarkus's security layer performs authorization checks on the raw URL path, which preserves these matrix parameters.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to remote code execution in the remote application.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the `ApplicationTemp` directory due to predictable temporary directory handling. When the `server.servlet.session.persistent` setting is enabled and the attack persists across application restarts, this could allow the attacker to read session information, hijack authenticated user sessions, or execute arbitrary code as the application's user.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Spring Boot. The `${random.value}` property source utilizes a weak pseudo-random number generator (PRNG), meaning the values it produces are not sufficiently random for use as cryptographic secrets. An attacker could potentially predict these values, which may lead to information disclosure or a security bypass if they are used in sensitive applications.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.
7.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
HawtIO HawtIO 4.4.0
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_hawtio:4.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
135 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\n* spring boot: Remote code execution via timing attack in DevTools remote secret comparison [CVE-2026-40972]\n\n* axios: Invisible JSON Response Tampering via Prototype Pollution Gadget [CVE-2026-42044]\n\n* spring-boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory [CVE-2026-40973]\n\n* io.hawt-project: fast-uri: Path traversal vulnerability allows bypass of security policies [CVE-2026-6321]\n\n* axios: Authentication bypass due to prototype pollution of HTTP error handling [CVE-2026-42041]\n\n* axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data [CVE-2026-42039]\n\n* axios: NO_PROXY bypass via crafted URL [CVE-2026-42043]\n\n* axios: HTTP Transport Hijacking via Prototype Pollution [CVE-2026-42033]\n\n* spring-boot: Weak pseudo-random number generation can lead to information disclosure. [CVE-2026-40975]\n\n* io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests [CVE-2026-39852]\n\n* jetty-ee10-webapp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]\n\n* jetty-ee10-servlet: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]\n\n* spring-boot: Authentication bypass via misconfigured Health Group additional path [CVE-2026-22731]\n\n* jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests [CVE-2026-1605]\n\n* vertx-core: static handler component cache can be manipulated to deny the access to static files [CVE-2026-1002]\n\n* io.hawt-project: prototype pollution in _.unset and _.omit functions [CVE-2025-13465]\n\n* hawtio-operator-container: golang: Denial of Service due to excessive resource consumption via crafted certificate [CVE-2025-61729]\n\n* hawtio-operator-container: Memory exhaustion in query parameter parsing in net/url [CVE-2025-61726]\n\n* axios:Arbitrary HTTP header injection via prototype pollution [CVE-2026-42035]\n\n* jetty-http: HTTP request smuggling via chunked extension quoted-string parsing [CVE-2026-2332]\n\n* hawtio-operator-container: Go: Denial of Service vulnerability in certificate chain building [CVE-2026-32280]\n\n* hawtio-operator-container: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [CVE-2026-33810]\n\n* hawtio-operator-container: Go crypto/x509: Denial of Service via inefficient certificate chain validation [CVE-2026-32281]\n\n* hawtio-operator-container: Root.Chmod can follow symlinks out of the root [CVE-2026-32282]",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25089",
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25089.json"
}
],
"title": "Red Hat Security Advisory: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 Release and security update.",
"tracking": {
"current_release_date": "2026-06-30T17:10:47+00:00",
"generator": {
"date": "2026-06-30T17:10:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:25089",
"initial_release_date": "2026-06-10T15:39:02+00:00",
"revision_history": [
{
"date": "2026-06-10T15:39:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-10T15:39:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "HawtIO HawtIO 4.4.0",
"product": {
"name": "HawtIO HawtIO 4.4.0",
"product_id": "HawtIO HawtIO 4.4.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_hawtio:4.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13465",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2026-01-21T20:01:28.774829+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431740"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: prototype pollution in _.unset and _.omit functions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user input to determine the path of the property to be removed. This issue only allows the deletion of properties but does not allow overwriting their behavior, limiting the impact to a denial of service. Due to this reason, this vulnerability has been rated with an important severity.\n\nIn Grafana, JavaScript code runs only in the browser, while the server side is all Golang. Therefore, the worst-case scenario is a loss of functionality in the client application inside the browser. To reflect this, the CVSS availability metric and the severity of the Grafana and the Grafana-PCP component have been updated to low and moderate, respectively.\n\nThe lodash dependency is bundled and used by the pcs-web-ui component of the PCS package. In Red Hat Enterprise Linux 8.10, the pcs-web-ui component is no longer included in the PCS package. As a result, RHEL 8.10 does not ship the vulnerable lodash component within PCS and is therefore not-affected by this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "RHBZ#2431740",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-01-21T19:05:28.846000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lodash: prototype pollution in _.unset and _.omit functions"
},
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2026-1002",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-01-15T21:03:20.088599+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430180"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability allows a remote attacker to block access to specific static files, such as images, CSS or HTML files. However, the underlying Vert.x server, the API endpoints and other non-cached resources are not affected. Due to this reason, this issue has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1002"
},
{
"category": "external",
"summary": "RHBZ#2430180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1002",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5895",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
}
],
"release_date": "2026-01-15T20:50:25.642000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example:\n\n~~~\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\n~~~",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files"
},
{
"cve": "CVE-2026-1605",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2026-03-05T11:00:57.250283+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444815"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server\u0027s response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1605"
},
{
"category": "external",
"summary": "RHBZ#2444815",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444815"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1605",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1605"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1605"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"
}
],
"release_date": "2026-03-05T09:39:01.315000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests"
},
{
"cve": "CVE-2026-2332",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-04-14T12:01:05.768902+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2458187"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to send a crafted payload to a Jetty server that is behind a reverse proxy or load balancer, specifically with a chunk extension that includes an unclosed double quote before the CRLF to trick the parser. This flaw allows an attacker to bypass security controls, cause cache poisoning or gain unauthorized endpoint access. Due to these reasons, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2332"
},
{
"category": "external",
"summary": "RHBZ#2458187",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458187"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"
}
],
"release_date": "2026-04-14T10:59:10.193000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing"
},
{
"cve": "CVE-2026-5795",
"cwe": {
"id": "CWE-226",
"name": "Sensitive Information in Resource Not Removed Before Reuse"
},
"discovery_date": "2026-04-08T14:01:02.911884+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456519"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. The `JASPIAuthenticator` class is responsible for handling authentication checks. During these checks, the class sets two ThreadLocal variables to store authentication state. Under certain conditions, the authentication process can return early without properly clearing the ThreadLocal variables, allowing a subsequent request to inherit the un-cleared ThreadLocal values. This issue can cause broken access control, authentication bypass, privilege escalation and data breaches.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is only exploitable when `JASPIAuthenticator` class returns early and a subsequent request inherits the un-cleared ThreadLocal values. This requires a new request to be assigned the exact same recycled thread, increasing the complexity of exploitation. Due to these reasons, this flaw has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-5795"
},
{
"category": "external",
"summary": "RHBZ#2456519",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456519"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-5795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5795"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gc59-r5jq-98qw",
"url": "https://github.com/advisories/GHSA-gc59-r5jq-98qw"
}
],
"release_date": "2026-04-08T13:32:28.935000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables"
},
{
"cve": "CVE-2026-6321",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-04T20:01:14.938426+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466582"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6321"
},
{
"category": "external",
"summary": "RHBZ#2466582",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466582"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
}
],
"release_date": "2026-05-04T19:31:57.253000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies"
},
{
"cve": "CVE-2026-22731",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"discovery_date": "2026-03-19T23:02:37.111109+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449290"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot. This vulnerability, an authentication bypass, occurs when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to sensitive application endpoints. This could lead to information disclosure or unauthorized actions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22731"
},
{
"category": "external",
"summary": "RHBZ#2449290",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449290"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22731",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22731"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22731",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22731"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-22731",
"url": "https://spring.io/security/cve-2026-22731"
}
],
"release_date": "2026-03-19T22:36:15.112000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate, ensure that application endpoints requiring authentication are not declared under paths already configured as Health Group additional paths within Spring Boot applications using Actuator. Review and adjust your application\u0027s configuration to prevent this overlap. A redeployment of the application is required for changes to take effect.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path"
},
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-33810",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-08T02:01:09.100830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "RHBZ#2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://go.dev/cl/763763",
"url": "https://go.dev/cl/763763"
},
{
"category": "external",
"summary": "https://go.dev/issue/78332",
"url": "https://go.dev/issue/78332"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4866",
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
}
],
"release_date": "2026-04-08T01:06:56.546000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application"
},
{
"cve": "CVE-2026-39852",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-04-13T13:26:46.572000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457819"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected endpoints. The vulnerability arises because Quarkus\u0027s security layer performs authorization checks on the raw URL path, which preserves these matrix parameters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39852"
},
{
"category": "external",
"summary": "RHBZ#2457819",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457819"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39852",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39852"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39852",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39852"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9"
}
],
"release_date": "2026-05-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure a reverse proxy or load balancer in front of the Quarkus application to normalize incoming URL paths by stripping matrix parameters (semicolons) before requests reach the Quarkus security layer. This ensures that authorization checks are performed on the intended path. Ensure that any changes to proxy configurations are thoroughly tested and services are reloaded or restarted as necessary to apply the new settings.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests"
},
{
"cve": "CVE-2026-40972",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2026-04-28T00:02:02.075124+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2463332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to remote code execution in the remote application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40972"
},
{
"category": "external",
"summary": "RHBZ#2463332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40972",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40972"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40972",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40972"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-40972",
"url": "https://spring.io/security/cve-2026-40972"
}
],
"release_date": "2026-04-27T23:15:19.194000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Spring Boot DevTools remote functionality in production environments. This feature is primarily intended for development and should not be enabled in publicly accessible deployments.\n\nTo disable remote DevTools, ensure the `spring.devtools.remote.secret` property is not configured, or explicitly set `spring.devtools.remote.enabled=false` in your application\u0027s `application.properties` or `application.yml` file.\n\nExample for `application.properties`:\n`spring.devtools.remote.enabled=false`\n\nDisabling this feature may impact development workflows that rely on remote DevTools capabilities. A restart of the application is required for the changes to take effect.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison"
},
{
"cve": "CVE-2026-40973",
"cwe": {
"id": "CWE-341",
"name": "Predictable from Observable State"
},
"discovery_date": "2026-04-28T00:01:55.408040+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2463330"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the `ApplicationTemp` directory due to predictable temporary directory handling. When the `server.servlet.session.persistent` setting is enabled and the attack persists across application restarts, this could allow the attacker to read session information, hijack authenticated user sessions, or execute arbitrary code as the application\u0027s user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40973"
},
{
"category": "external",
"summary": "RHBZ#2463330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463330"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40973",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40973"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40973",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40973"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-40973",
"url": "https://spring.io/security/cve-2026-40973"
}
],
"release_date": "2026-04-27T23:29:51.946000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the `server.servlet.session.persistent` property is set to `false` in your Spring Boot application\u0027s configuration. This prevents session information from being written to the predictable temporary directory, thereby removing the conditions necessary for exploitation. Disabling persistent sessions may affect application behavior that relies on session data surviving restarts.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory"
},
{
"cve": "CVE-2026-40975",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"discovery_date": "2026-04-28T00:01:58.716976+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2463331"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot. The `${random.value}` property source utilizes a weak pseudo-random number generator (PRNG), meaning the values it produces are not sufficiently random for use as cryptographic secrets. An attacker could potentially predict these values, which may lead to information disclosure or a security bypass if they are used in sensitive applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40975"
},
{
"category": "external",
"summary": "RHBZ#2463331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463331"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40975",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40975"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40975",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40975"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-40975",
"url": "https://spring.io/security/cve-2026-40975"
}
],
"release_date": "2026-04-27T23:32:58.596000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Applications utilizing Spring Boot should avoid using the `${random.value}` property for generating cryptographic secrets or other security-sensitive data. Developers should review their application configurations and code to ensure that only cryptographically strong random number generators are used for such purposes. For UUID generation, `${random.uuid}` is not affected and can be used.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure."
},
{
"cve": "CVE-2026-42033",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:20.937507+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461607"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "RHBZ#2461607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
}
],
"release_date": "2026-04-24T17:36:44.132000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
},
{
"cve": "CVE-2026-42035",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:17.109481+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "RHBZ#2461606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
}
],
"release_date": "2026-04-24T17:38:07.752000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
},
{
"cve": "CVE-2026-42039",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-24T19:01:44.887156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "RHBZ#2461630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
}
],
"release_date": "2026-04-24T18:01:30.775000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
},
{
"cve": "CVE-2026-42041",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:41.034289+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "RHBZ#2461629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
"url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
}
],
"release_date": "2026-04-24T17:55:30.036000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
},
{
"cve": "CVE-2026-42043",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-04-24T19:01:22.552379+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461626"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: NO_PROXY bypass via crafted URL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "RHBZ#2461626",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
}
],
"release_date": "2026-04-24T17:54:42.668000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: NO_PROXY bypass via crafted URL"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"HawtIO HawtIO 4.4.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T15:39:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"HawtIO HawtIO 4.4.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25089"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"HawtIO HawtIO 4.4.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"HawtIO HawtIO 4.4.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
}
]
}
RHSA-2026:26054
Vulnerability from csaf_redhat - Published: 2026-06-15 19:47 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: osbuild-composer security update
Severity
Important
Notes
Topic: An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.
Security Fix(es):
* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.\n\nSecurity Fix(es):\n\n* github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (CVE-2026-34986)\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26054",
"url": "https://access.redhat.com/errata/RHSA-2026:26054"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26054.json"
}
],
"title": "Red Hat Security Advisory: osbuild-composer security update",
"tracking": {
"current_release_date": "2026-06-30T17:10:52+00:00",
"generator": {
"date": "2026-06-30T17:10:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26054",
"initial_release_date": "2026-06-15T19:47:42+00:00",
"revision_history": [
{
"date": "2026-06-15T19:47:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-15T19:47:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132.2-8.el9_6.src",
"product": {
"name": "osbuild-composer-0:132.2-8.el9_6.src",
"product_id": "osbuild-composer-0:132.2-8.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132.2-8.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132.2-8.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"product_id": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132.2-8.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132.2-8.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_id": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132.2-8.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-core-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132.2-8.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"product_id": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132.2-8.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132.2-8.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64",
"product_id": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132.2-8.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132.2-8.el9_6.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src"
},
"product_reference": "osbuild-composer-0:132.2-8.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-core-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T19:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26054"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T19:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26054"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.src",
"AppStream-9.6.0.Z.EUS:osbuild-composer-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-core-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-debugsource-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-tests-debuginfo-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-0:132.2-8.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:osbuild-composer-worker-debuginfo-0:132.2-8.el9_6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
RHSA-2026:26077
Vulnerability from csaf_redhat - Published: 2026-06-15 22:11 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1
Severity
Important
Notes
Topic: Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.11.12, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 redhat-user-workloads/kiali-3-1: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13868)
* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909)
* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
8.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64 | — |
Workaround
|
Threats
Impact
Moderate
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.1. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.11.12, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 redhat-user-workloads/kiali-3-1: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13868)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26077",
"url": "https://access.redhat.com/errata/RHSA-2026:26077"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26077.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1",
"tracking": {
"current_release_date": "2026-06-30T17:10:52+00:00",
"generator": {
"date": "2026-06-30T17:10:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26077",
"initial_release_date": "2026-06-15T22:11:01+00:00",
"revision_history": [
{
"date": "2026-06-15T22:11:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-15T22:11:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916478"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470706"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916478"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Abf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470706"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916478"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470706"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916478"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470706"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64 as a component of Red Hat OpenShift Service Mesh 3.1",
"product_id": "Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:11:01+00:00",
"details": "See Kiali 2.11.12 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26077"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:11:01+00:00",
"details": "See Kiali 2.11.12 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.1/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26077"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:626653a4f6e9c2c047cfb66d1bdd667e4fdf8fdc3d84c3fc06defb19fe976958_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6d03aff1601a0380a8a8346ed8df9e032134d0ab4d6143ee93fd64e57971ee43_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:7e59e57089fb732a2053dc8b5aa5d83c944bf5e720ee874dec579ecb8bbdc630_amd64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:bf317da1aa106f4ad08eae11a822fd5d4c81c698ce939e12055a7d5f639b6432_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dad7ea2d7bd1843dff0fbfbee9b6356a0d3356074966e2ad5eceb08a139ffae_ppc64le",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2b86f08b8e454f2b44cf38bf92b0146100960db8c21bf0145594428b0547de08_arm64",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:3dd39ad7ffcf143d82203f5de0cddb42834642dbcab56a27df78fbf1875d8039_s390x",
"Red Hat OpenShift Service Mesh 3.1:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a3a6c4465595a52d7c9ec7acdde38dc655ae8aaf5af6925738da00ab2514dc6e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:26079
Vulnerability from csaf_redhat - Published: 2026-06-15 22:32 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2
Severity
Important
Notes
Topic: Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.17.9, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 redhat-user-workloads/kiali-3-2: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13869)
* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13911)
* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13915)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
8.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le | — |
Workaround
|
Threats
Impact
Moderate
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.2. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.17.9, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 redhat-user-workloads/kiali-3-2: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13869)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13911)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13915)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26079",
"url": "https://access.redhat.com/errata/RHSA-2026:26079"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26079.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2",
"tracking": {
"current_release_date": "2026-06-30T17:10:53+00:00",
"generator": {
"date": "2026-06-30T17:10:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26079",
"initial_release_date": "2026-06-15T22:32:11+00:00",
"revision_history": [
{
"date": "2026-06-15T22:32:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-15T22:32:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.2",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916392"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470003"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916392"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470003"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Adfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916392"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470003"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ad2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916392"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470003"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64 as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le as a component of Red Hat OpenShift Service Mesh 3.2",
"product_id": "Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:32:11+00:00",
"details": "See Kiali 2.17.9 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26079"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:32:11+00:00",
"details": "See Kiali 2.17.9 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.2/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26079"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:053f62e9327d00cff42761b6329de9ad51aa991cb407ee93dfd264a119dcbedd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2712fb5cb978d5670aa858a4bb6c9906d84913d7f8d7ea616ae90c531650bf84_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fa68ac996600468f6db141b2aae175fd74739def04b98b845733d172d3f484d_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:6fe037a6b9dbc97f43eca680b2b5a09fccfea561af01a82d1c55a53ce413a661_ppc64le",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:473a0b1d4381fe01222ed465cc311e6c7471322988d3f6a5efe9c884a3fbe008_amd64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a55e8a19ef4ff99d5ddc68a92ce37373ccf1ff7d69bdcaffa07c8fe3bee5f3b5_arm64",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d2be1e36684ba72d0245a864f82274003b0b26d7dfcb80cee88d116f6c0cb3cd_s390x",
"Red Hat OpenShift Service Mesh 3.2:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:dfdb0cd01be7092f7338444876e89d92979381b602a4b38c10980ac3c1213fb0_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:26080
Vulnerability from csaf_redhat - Published: 2026-06-15 22:39 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0
Severity
Important
Notes
Topic: Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.0. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.4.18, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 redhat-user-workloads/kiali-3-0: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13867)
* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909)
* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
8.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le | — |
Workaround
|
Threats
Impact
Moderate
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.0. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.4.18, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 redhat-user-workloads/kiali-3-0: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13867)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26080",
"url": "https://access.redhat.com/errata/RHSA-2026:26080"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26080.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0",
"tracking": {
"current_release_date": "2026-06-30T17:10:54+00:00",
"generator": {
"date": "2026-06-30T17:10:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26080",
"initial_release_date": "2026-06-15T22:39:05+00:00",
"revision_history": [
{
"date": "2026-06-15T22:39:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-15T22:39:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916345"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470245"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Aa54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916345"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470245"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916345"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470245"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Acf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780916345"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780470245"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64 as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x as a component of Red Hat OpenShift Service Mesh 3.0",
"product_id": "Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:39:05+00:00",
"details": "See Kiali 2.4.18 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26080"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T22:39:05+00:00",
"details": "See Kiali 2.4.18 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.0/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26080"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:251fd9c3bfe135b9a7544c97c4169b36183a3b8c4c3b2255b772359f00e932e9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:2f171572c72f05b82da40f74fd25cf479d693afb24477e15478d2b602b86bd16_s390x",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4b98893e9a829922e0444f70b0011d1a9c8af3a08d6e48f6c87d752657db1c68_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:ac654a09e840d2e4d47ed77a70d29d5ca01d8d3fa8e8905b90cda4e4a77813f1_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:10a6ac2eebe2fbab2a2ab538687774d227dec3c4b87f4b283ac7fa1510b87288_ppc64le",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:2e2cde16b866b764d4191d0024b07f8517ee390fff35b4af0109356da7646495_amd64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:a54f200ca82613a7c4a58b99e7f1b1dc1b0c9462e0a457f7c1c28a878ec8b8b9_arm64",
"Red Hat OpenShift Service Mesh 3.0:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:cf6c0442d0aa7c3265a01f672723356aed640ad0a8ea4a197e106397e451fdb2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
}
]
}
RHSA-2026:26090
Vulnerability from csaf_redhat - Published: 2026-06-15 23:27 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Kiali 2.22.5 for Red Hat OpenShift Service Mesh 3.3
Severity
Important
Notes
Topic: Kiali 2.22.5 for Red Hat OpenShift Service Mesh 3.3 is now available.
An update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Kiali 2.22.5, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13870)
* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13912)
* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13916)
* CVE-2026-44293 openshift-service-mesh/kiali-rhel9: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors (ossm-13962)
* CVE-2026-44293 openshift-service-mesh/kiali-ossmc-rhel9: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors (ossm-13963)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
8.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64 | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x | — | ||
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64 | — |
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in protobufjs, a library used to compile protobuf definitions into JavaScript functions. A remote attacker could exploit this vulnerability by providing a crafted descriptor that includes a non-string default value for a bytes field. This could lead to the generation of an unsafe expression within the toObject conversion function, ultimately allowing the attacker to execute arbitrary code.
7.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64 | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x | — |
Workaround
|
|
| Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64 | — |
Workaround
|
Threats
Impact
Important
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Kiali 2.22.5 for Red Hat OpenShift Service Mesh 3.3 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Kiali 2.22.5, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32281 Go crypto/x509: Denial of Service via inefficient certificate chain validation (OSSM-13870)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13912)\n\n* CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13916)\n\n* CVE-2026-44293 openshift-service-mesh/kiali-rhel9: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors (ossm-13962)\n\n* CVE-2026-44293 openshift-service-mesh/kiali-ossmc-rhel9: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors (ossm-13963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26090",
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44293",
"url": "https://access.redhat.com/security/cve/CVE-2026-44293"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26090.json"
}
],
"title": "Red Hat Security Advisory: Kiali 2.22.5 for Red Hat OpenShift Service Mesh 3.3",
"tracking": {
"current_release_date": "2026-06-30T17:10:54+00:00",
"generator": {
"date": "2026-06-30T17:10:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26090",
"initial_release_date": "2026-06-15T23:27:25+00:00",
"revision_history": [
{
"date": "2026-06-15T23:27:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-15T23:27:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 3.3",
"product": {
"name": "Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:3.3::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780997438"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-operator-bundle@sha256%3A2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-operator-bundle\u0026tag=1781006252"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Af739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator\u0026tag=1780997314"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780997382"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3Ab424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780997438"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Abe7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator\u0026tag=1780997314"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780997382"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780997438"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3A8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator\u0026tag=1780997314"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780997382"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9@sha256%3A20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9\u0026tag=1780997438"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-rhel9-operator@sha256%3Ad1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator\u0026tag=1780997314"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"product": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Acb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9\u0026tag=1780997382"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
"product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
},
"product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64",
"relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T23:27:25+00:00",
"details": "See Kiali 2.22.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T23:27:25+00:00",
"details": "See Kiali 2.22.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-44293",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-05-13T16:03:50.961609+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477104"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in protobufjs, a library used to compile protobuf definitions into JavaScript functions. A remote attacker could exploit this vulnerability by providing a crafted descriptor that includes a non-string default value for a bytes field. This could lead to the generation of an unsafe expression within the toObject conversion function, ultimately allowing the attacker to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw affecting Red Hat products that incorporate the protobufjs library. protobufjs is vulnerable to arbitrary code execution when compiling protobuf definitions into JavaScript. During generation of the toObject conversion function, a schema-controlled default value on a bytes field that is not a string can be emitted as unsafe JavaScript code. An attacker who can supply or influence the protobuf descriptor processed by the application (low privileges required) may achieve code execution in the Node.js process context. Fixed upstream in protobufjs 7.5.6 and 8.0.2. Affects Red Hat offerings that bundle protobufjs and process attacker-influenced protobuf schemas at runtime.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"known_not_affected": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44293"
},
{
"category": "external",
"summary": "RHBZ#2477104",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477104"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44293"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44293",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44293"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm"
}
],
"release_date": "2026-05-13T14:43:33.342000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-15T23:27:25+00:00",
"details": "See Kiali 2.22.4 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26090"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:2daadecfbd74f5117f1f201422e40873c3e282d4cfa7f68120b6cf20c0a25df5_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:26bfd90af1d7fb3787511dea26d5ea1368f07b145f85758d708bfa108abaec65_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:8211925df422ecce0ba43f8aed2299cf3a2cc1b04c68be59972bfee210f5f094_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:9504542a9e097ed2f7a2729883db5be8bbc9c8a5f776797bb0f4e145aee70ea3_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:cb4859594eb70bdbafb57c6559ef63ba5ad5f75661cf0863fe6f1c3e287326da_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:8450f54ec40626dccf2d7e31ff964fbfd9cb603b208f50e640e72933d568ef3e_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:be7aa341e43aed513489afd74dca73bd8470a9f49514792a74715bd198f6cb1d_arm64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:d1f1ee9cc09c530e5e795e2e7ababbc3c9b6b6c1412944a73537c1a7d5cdea76_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:f739d6238e0822edb906a9b21cab46e47799daa0ac4be96b6678de52a9ecc0a2_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:0dbf34fe3dfa3ad05d3b4f0b31c6df5af681b6861dce5f1d5afda55172d624ef_amd64",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:20b191658314a61ccce8d4fd355f00c53e3899bb3d59eae1474105c012ddff8d_s390x",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78d18c9e3add33c1d107c362ed7b5f8fd7662b69ae8b53ec2010584c25738746_ppc64le",
"Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:b424872f6a729439b1e01bc874496b91b9eedd9241186f2259592a0e4a215614_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors"
}
]
}
RHSA-2026:26234
Vulnerability from csaf_redhat - Published: 2026-06-16 09:33 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.9.5 release.
Severity
Important
Notes
Topic: Red Hat Developer Hub 1.9.5 has been released.
Details: Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI's intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by exploiting the `inspect` function. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the "type" fields of protobuf definitions. This malicious code will then execute during the object decoding process, leading to arbitrary code execution and potentially full system compromise.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final output. This could lead to the manipulation of data within the XML document.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the `xmldom` library, a JavaScript module for parsing XML documents. An attacker could exploit this vulnerability by providing a specially crafted, deeply nested XML document. This could lead to a Denial of Service (DoS) by causing the application to crash due to excessive recursion.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in xmldom and @xmldom/xmldom, a JavaScript library for parsing and serializing XML. This vulnerability allows an attacker to inject arbitrary XML markup into a document due to improper handling of DocumentType node fields during serialization. By crafting malicious input, an attacker can cause the XML serializer to prematurely terminate the DOCTYPE declaration, enabling the insertion of unauthorized content. This could lead to information disclosure or, in certain configurations, the execution of arbitrary code.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in xmldom. A remote attacker can exploit this vulnerability by providing specially crafted processing instruction data. Due to improper validation of the processing instruction closing sequence, the attacker can terminate the instruction prematurely and inject arbitrary XML nodes into the serialized output. This can lead to data manipulation and integrity issues within applications that process the affected XML.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.
7.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — | ||
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Threats
Impact
Important
A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in protobufjs, a library used to compile protobuf definitions into JavaScript functions. A remote attacker could exploit this vulnerability by providing a crafted descriptor that includes a non-string default value for a bytes field. This could lead to the generation of an unsafe expression within the toObject conversion function, ultimately allowing the attacker to execute arbitrary code.
7.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.
8.6 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.
8.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 | — |
Workaround
|
Threats
Impact
Important
References
182 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.9.5 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26234",
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-24781",
"url": "https://access.redhat.com/security/cve/CVE-2026-24781"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41242",
"url": "https://access.redhat.com/security/cve/CVE-2026-41242"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41672",
"url": "https://access.redhat.com/security/cve/CVE-2026-41672"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41673",
"url": "https://access.redhat.com/security/cve/CVE-2026-41673"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41674",
"url": "https://access.redhat.com/security/cve/CVE-2026-41674"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41675",
"url": "https://access.redhat.com/security/cve/CVE-2026-41675"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44293",
"url": "https://access.redhat.com/security/cve/CVE-2026-44293"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6321",
"url": "https://access.redhat.com/security/cve/CVE-2026-6321"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6322",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-3128",
"url": "https://issues.redhat.com/browse/RHDHBUGS-3128"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26234.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.9.5 release.",
"tracking": {
"current_release_date": "2026-06-30T17:10:54+00:00",
"generator": {
"date": "2026-06-30T17:10:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26234",
"initial_release_date": "2026-06-16T09:33:13+00:00",
"revision_history": [
{
"date": "2026-06-16T09:33:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-16T14:24:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.9",
"product": {
"name": "Red Hat Developer Hub 1.9",
"product_id": "Red Hat Developer Hub 1.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.9::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Adca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1781187342"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1781187028"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3Adac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1781191254"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64 as a component of Red Hat Developer Hub 1.9",
"product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64 as a component of Red Hat Developer Hub 1.9",
"product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64 as a component of Red Hat Developer Hub 1.9",
"product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6321",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-04T20:01:14.938426+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466582"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator (URL) containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization, leading to distinct URLs resolving to the same internal path. This could allow an attacker to bypass security policies that rely on path-based comparisons, potentially gaining unauthorized access to resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6321"
},
{
"category": "external",
"summary": "RHBZ#2466582",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466582"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
}
],
"release_date": "2026-05-04T19:31:57.253000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies"
},
{
"cve": "CVE-2026-6322",
"cwe": {
"id": "CWE-140",
"name": "Improper Neutralization of Delimiters"
},
"discovery_date": "2026-05-05T11:01:00.332189+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466684"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier (URI) that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw separators, which can change the URI\u0027s intended authority. This issue allows applications that perform host allowlist checks, redirect validation, or outbound request routing to be steered to a different authority than specified, potentially bypassing security controls.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6322"
},
{
"category": "external",
"summary": "RHBZ#2466684",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466684"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6322",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
}
],
"release_date": "2026-05-05T10:29:16.378000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "fast-uri: fast-uri: URI authority bypass due to improper delimiter handling"
},
{
"cve": "CVE-2026-9277",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-05-22T14:01:14.427751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9277"
},
{
"category": "external",
"summary": "RHBZ#2480741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote",
"url": "https://github.com/ljharb/shell-quote"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/commit/1518179",
"url": "https://github.com/ljharb/shell-quote/commit/1518179"
},
{
"category": "external",
"summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
"url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/shell-quote",
"url": "https://www.npmjs.com/package/shell-quote"
}
],
"release_date": "2026-05-22T13:22:38.873000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
},
{
"cve": "CVE-2026-24781",
"cwe": {
"id": "CWE-653",
"name": "Improper Isolation or Compartmentalization"
},
"discovery_date": "2026-05-04T19:03:41.437468+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466531"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by exploiting the `inspect` function. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-24781"
},
{
"category": "external",
"summary": "RHBZ#2466531",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466531"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-24781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24781"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24781"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189",
"url": "https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c",
"url": "https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228",
"url": "https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
},
{
"category": "external",
"summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c"
}
],
"release_date": "2026-05-04T16:33:32.869000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-41242",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-04-18T17:00:50.677423+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2459442"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the \"type\" fields of protobuf definitions. This malicious code will then execute during the object decoding process, leading to arbitrary code execution and potentially full system compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41242"
},
{
"category": "external",
"summary": "RHBZ#2459442",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459442"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41242",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41242"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41242",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41242"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75",
"url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956",
"url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"
}
],
"release_date": "2026-04-18T16:18:10.652000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields"
},
{
"cve": "CVE-2026-41672",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"discovery_date": "2026-05-07T05:02:05.372643+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467631"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final output. This could lead to the manipulation of data within the XML document.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Important. The `xmldom` JavaScript module, used in various Red Hat products, is vulnerable to arbitrary XML node injection. An attacker can craft malicious XML comments to prematurely terminate a comment block and insert unauthorized XML elements, leading to data manipulation within the processed XML document. This risk is present in applications that handle and serialize untrusted XML input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41672"
},
{
"category": "external",
"summary": "RHBZ#2467631",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467631"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41672"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41672",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41672"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7",
"url": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1",
"url": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/pull/987",
"url": "https://github.com/xmldom/xmldom/pull/987"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
}
],
"release_date": "2026-05-07T03:36:16.914000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection"
},
{
"cve": "CVE-2026-41673",
"cwe": {
"id": "CWE-776",
"name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
},
"discovery_date": "2026-05-07T05:02:01.500444+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `xmldom` library, a JavaScript module for parsing XML documents. An attacker could exploit this vulnerability by providing a specially crafted, deeply nested XML document. This could lead to a Denial of Service (DoS) by causing the application to crash due to excessive recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "@xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in the `xmldom` library, which can lead to application crashes. The flaw occurs when processing specially crafted, deeply nested XML documents, causing excessive recursion and exhausting system resources. This can impact the availability of Red Hat products that utilize `xmldom` to parse untrusted XML input, as it does not require authentication or complex preconditions for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41673"
},
{
"category": "external",
"summary": "RHBZ#2467630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41673"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41673",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41673"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa",
"url": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597",
"url": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f",
"url": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a",
"url": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe",
"url": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3",
"url": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112",
"url": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb",
"url": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84",
"url": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"
}
],
"release_date": "2026-05-07T03:40:28.378000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "@xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents"
},
{
"cve": "CVE-2026-41674",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"discovery_date": "2026-05-07T05:01:25.803044+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467620"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript library for parsing and serializing XML. This vulnerability allows an attacker to inject arbitrary XML markup into a document due to improper handling of DocumentType node fields during serialization. By crafting malicious input, an attacker can cause the XML serializer to prematurely terminate the DOCTYPE declaration, enabling the insertion of unauthorized content. This could lead to information disclosure or, in certain configurations, the execution of arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xmldom: xmldom: Arbitrary XML markup injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41674"
},
{
"category": "external",
"summary": "RHBZ#2467620",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467620"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41674",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41674"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41674",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41674"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314",
"url": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
}
],
"release_date": "2026-05-07T03:47:51.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xmldom: xmldom: Arbitrary XML markup injection"
},
{
"cve": "CVE-2026-41675",
"cwe": {
"id": "CWE-91",
"name": "XML Injection (aka Blind XPath Injection)"
},
"discovery_date": "2026-05-07T05:01:58.399809+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2467629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in xmldom. A remote attacker can exploit this vulnerability by providing specially crafted processing instruction data. Due to improper validation of the processing instruction closing sequence, the attacker can terminate the instruction prematurely and inject arbitrary XML nodes into the serialized output. This can lead to data manipulation and integrity issues within applications that process the affected XML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41675"
},
{
"category": "external",
"summary": "RHBZ#2467629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41675"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41675",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41675"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2",
"url": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
},
{
"category": "external",
"summary": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
}
],
"release_date": "2026-05-07T03:49:34.056000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions"
},
{
"cve": "CVE-2026-42033",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:20.937507+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461607"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42033"
},
{
"category": "external",
"summary": "RHBZ#2461607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
}
],
"release_date": "2026-04-24T17:36:44.132000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
},
{
"cve": "CVE-2026-42035",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T18:01:17.109481+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42035"
},
{
"category": "external",
"summary": "RHBZ#2461606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
}
],
"release_date": "2026-04-24T17:38:07.752000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
},
{
"cve": "CVE-2026-42039",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-24T19:01:44.887156+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42039"
},
{
"category": "external",
"summary": "RHBZ#2461630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
"url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
}
],
"release_date": "2026-04-24T18:01:30.775000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
},
{
"cve": "CVE-2026-42041",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:41.034289+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42041"
},
{
"category": "external",
"summary": "RHBZ#2461629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
"url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
}
],
"release_date": "2026-04-24T17:55:30.036000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
},
{
"cve": "CVE-2026-42043",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-04-24T19:01:22.552379+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461626"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: NO_PROXY bypass via crafted URL",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42043"
},
{
"category": "external",
"summary": "RHBZ#2461626",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
}
],
"release_date": "2026-04-24T17:54:42.668000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: NO_PROXY bypass via crafted URL"
},
{
"cve": "CVE-2026-42044",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-24T19:01:13.418725+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2461624"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42044"
},
{
"category": "external",
"summary": "RHBZ#2461624",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
}
],
"release_date": "2026-04-24T17:49:49.517000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
},
{
"cve": "CVE-2026-44293",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-05-13T16:03:50.961609+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2477104"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in protobufjs, a library used to compile protobuf definitions into JavaScript functions. A remote attacker could exploit this vulnerability by providing a crafted descriptor that includes a non-string default value for a bytes field. This could lead to the generation of an unsafe expression within the toObject conversion function, ultimately allowing the attacker to execute arbitrary code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important flaw affecting Red Hat products that incorporate the protobufjs library. protobufjs is vulnerable to arbitrary code execution when compiling protobuf definitions into JavaScript. During generation of the toObject conversion function, a schema-controlled default value on a bytes field that is not a string can be emitted as unsafe JavaScript code. An attacker who can supply or influence the protobuf descriptor processed by the application (low privileges required) may achieve code execution in the Node.js process context. Fixed upstream in protobufjs 7.5.6 and 8.0.2. Affects Red Hat offerings that bundle protobufjs and process attacker-influenced protobuf schemas at runtime.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44293"
},
{
"category": "external",
"summary": "RHBZ#2477104",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477104"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44293",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44293"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44293",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44293"
},
{
"category": "external",
"summary": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm"
}
],
"release_date": "2026-05-13T14:43:33.342000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors"
},
{
"cve": "CVE-2026-44486",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:30.944384+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487947"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44486"
},
{
"category": "external",
"summary": "RHBZ#2487947",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
"url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
}
],
"release_date": "2026-06-11T15:39:07.714000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
},
{
"cve": "CVE-2026-44487",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2026-06-11T17:01:34.091476+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487948"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44487"
},
{
"category": "external",
"summary": "RHBZ#2487948",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
}
],
"release_date": "2026-06-11T15:38:25.150000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
},
{
"cve": "CVE-2026-44488",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-11T17:01:36.836488+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487949"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44488"
},
{
"category": "external",
"summary": "RHBZ#2487949",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
}
],
"release_date": "2026-06-11T15:37:38.013000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
},
{
"cve": "CVE-2026-44492",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-11T17:00:56.761751+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487938"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44492"
},
{
"category": "external",
"summary": "RHBZ#2487938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
}
],
"release_date": "2026-06-11T15:29:13.890000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
},
{
"cve": "CVE-2026-44494",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:01:12.945664+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487942"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44494"
},
{
"category": "external",
"summary": "RHBZ#2487942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
"url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
}
],
"release_date": "2026-06-11T15:32:03.155000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
},
{
"cve": "CVE-2026-44495",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-06-11T17:00:53.999811+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487937"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44495"
},
{
"category": "external",
"summary": "RHBZ#2487937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
}
],
"release_date": "2026-06-11T15:33:12.433000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
},
{
"cve": "CVE-2026-44496",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-06-11T17:01:15.856386+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487943"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44496"
},
{
"category": "external",
"summary": "RHBZ#2487943",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
"url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
}
],
"release_date": "2026-06-11T15:34:28.492000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T09:33:13+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:dca74b10e54c6598ef2f8d962f677895ee6ca745778f0f5db25e0ebfe443990e_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:dac8b7c19b9bf59aa6df97828ae6955252ba45246d1597cd2cf46c028dfce4fb_amd64",
"Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:9e95e1183f47b0f9aa439bdb408a0ccdf87b72cefe704abad0c7e9a90bd607f5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
}
]
}
RHSA-2026:26447
Vulnerability from csaf_redhat - Published: 2026-06-16 23:08 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: podman security update
Severity
Important
Notes
Topic: An update for podman is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
Security Fix(es):
* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
38 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
38 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).
7.5 (High)
Affected products
Fixed
38 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for podman is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.\n\nSecurity Fix(es):\n\n* crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26447",
"url": "https://access.redhat.com/errata/RHSA-2026:26447"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26447.json"
}
],
"title": "Red Hat Security Advisory: podman security update",
"tracking": {
"current_release_date": "2026-06-30T17:10:55+00:00",
"generator": {
"date": "2026-06-30T17:10:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26447",
"initial_release_date": "2026-06-16T23:08:41+00:00",
"revision_history": [
{
"date": "2026-06-16T23:08:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-16T23:08:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-6:5.8.2-3.el9_8.src",
"product": {
"name": "podman-6:5.8.2-3.el9_8.src",
"product_id": "podman-6:5.8.2-3.el9_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@5.8.2-3.el9_8?arch=src\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-plugins-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-plugins-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-remote-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-remote-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-tests-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-tests-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debugsource@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins-debuginfo@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote-debuginfo@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_id": "podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests-debuginfo@5.8.2-3.el9_8?arch=aarch64\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-remote-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-remote-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-tests-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-tests-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debugsource@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins-debuginfo@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote-debuginfo@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_id": "podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests-debuginfo@5.8.2-3.el9_8?arch=ppc64le\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-plugins-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-plugins-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-remote-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-remote-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-tests-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-tests-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debugsource@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins-debuginfo@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote-debuginfo@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_id": "podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests-debuginfo@5.8.2-3.el9_8?arch=x86_64\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-plugins-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-plugins-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-remote-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-remote-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-tests-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-tests-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debugsource-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-debugsource-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debugsource@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-debuginfo@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-plugins-debuginfo@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-remote-debuginfo@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
},
{
"category": "product_version",
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"product": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_id": "podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-tests-debuginfo@5.8.2-3.el9_8?arch=s390x\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "podman-docker-6:5.8.2-3.el9_8.noarch",
"product": {
"name": "podman-docker-6:5.8.2-3.el9_8.noarch",
"product_id": "podman-docker-6:5.8.2-3.el9_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/podman-docker@5.8.2-3.el9_8?arch=noarch\u0026epoch=6"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-6:5.8.2-3.el9_8.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src"
},
"product_reference": "podman-6:5.8.2-3.el9_8.src",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debuginfo-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-debugsource-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-debugsource-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-docker-6:5.8.2-3.el9_8.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch"
},
"product_reference": "podman-docker-6:5.8.2-3.el9_8.noarch",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-plugins-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-plugins-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-plugins-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-remote-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-remote-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-remote-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-remote-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-tests-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-tests-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-tests-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-tests-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64"
},
"product_reference": "podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le"
},
"product_reference": "podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x"
},
"product_reference": "podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
},
"product_reference": "podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64",
"relates_to_product_reference": "AppStream-9.8.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T23:08:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26447"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T23:08:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26447"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32283",
"cwe": {
"id": "CWE-764",
"name": "Multiple Locks of a Critical Resource"
},
"discovery_date": "2026-04-08T02:01:16.213799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456338"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/tls` package within the Go (golang) standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock, leading to uncontrolled consumption of resources and ultimately a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32283"
},
{
"category": "external",
"summary": "RHBZ#2456338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32283",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"category": "external",
"summary": "https://go.dev/cl/763767",
"url": "https://go.dev/cl/763767"
},
{
"category": "external",
"summary": "https://go.dev/issue/78334",
"url": "https://go.dev/issue/78334"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4870",
"url": "https://pkg.go.dev/vuln/GO-2026-4870"
}
],
"release_date": "2026-04-08T01:06:57.670000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-16T23:08:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26447"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.src",
"AppStream-9.8.0.Z.MAIN.EUS:podman-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-debugsource-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-docker-6:5.8.2-3.el9_8.noarch",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-plugins-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-remote-debuginfo-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-6:5.8.2-3.el9_8.x86_64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.aarch64",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.ppc64le",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.s390x",
"AppStream-9.8.0.Z.MAIN.EUS:podman-tests-debuginfo-6:5.8.2-3.el9_8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages"
}
]
}
RHSA-2026:26568
Vulnerability from csaf_redhat - Published: 2026-06-17 12:57 - Updated: 2026-06-30 17:10Summary
Red Hat Security Advisory: Red Hat OpenShift API for Data Protection
Severity
Important
Notes
Topic: A new version of OpenShift API for Data Protection (OADP) is now available.
Details: OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
Threats
Impact
Important
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Threats
Impact
Important
A flaw was found in Go's `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.
7.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.
9.1 (Critical)
Affected products
Fixed
40 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.
8.2 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Vendor Fix
fix
|
Known not affected
41 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — | ||
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Threats
Impact
Important
A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 | — |
Workaround
|
|
| Unresolved product id: OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 | — |
Workaround
|
Threats
Impact
Important
References
81 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new version of OpenShift API for Data Protection (OADP) is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift API for Data Protection (OADP) enables you to back up and restore\napplication resources, persistent volume data, and internal container\nimages to external backup storage. OADP enables both file system-based and\nsnapshot-based backups for persistent volumes.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:26568",
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-25679",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27137",
"url": "https://access.redhat.com/security/cve/CVE-2026-27137"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32280",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32281",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32282",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33186",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33747",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33748",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33810",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34986",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/backup_and_restore/oadp-application-backup-and-restore",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/backup_and_restore/oadp-application-backup-and-restore"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26568.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift API for Data Protection",
"tracking": {
"current_release_date": "2026-06-30T17:10:56+00:00",
"generator": {
"date": "2026-06-30T17:10:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:26568",
"initial_release_date": "2026-06-17T12:57:45+00:00",
"revision_history": [
{
"date": "2026-06-17T12:57:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-17T12:57:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T17:10:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift API for Data Protection 1.5",
"product": {
"name": "OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_api_data_protection:1.5::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift API for Data Protection"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3Af0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel9\u0026tag=1779770057"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3A5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9\u0026tag=1779244652"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3A31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9\u0026tag=1779244923"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3A5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-non-admin-rhel9\u0026tag=1779243495"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-rhel9-operator\u0026tag=1779843906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"product_id": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-operator-bundle@sha256%3A71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-operator-bundle\u0026tag=1779844974"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3Ac9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel9\u0026tag=1779808027"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3A39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel9\u0026tag=1779245274"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3Ada0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9\u0026tag=1779244577"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9\u0026tag=1779244988"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3A765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9\u0026tag=1779244697"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3A1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9\u0026tag=1779243501"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3A04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9\u0026tag=1779244652"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3Acf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9\u0026tag=1779244923"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3A15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel9\u0026tag=1779770057"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3A1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-non-admin-rhel9\u0026tag=1779243495"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3Af1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-rhel9-operator\u0026tag=1779843906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3Af05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel9\u0026tag=1779808027"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3A47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel9\u0026tag=1779245274"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3A7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9\u0026tag=1779244577"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3Ac1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9\u0026tag=1779244988"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3Ab3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9\u0026tag=1779244697"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3A071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48?arch=arm64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9\u0026tag=1779243501"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3Afda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9\u0026tag=1779244652"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3Ac7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9\u0026tag=1779244923"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3A99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel9\u0026tag=1779770057"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3A1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-non-admin-rhel9\u0026tag=1779243495"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-rhel9-operator\u0026tag=1779843906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel9\u0026tag=1779808027"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3Abc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel9\u0026tag=1779245274"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3Ab3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9\u0026tag=1779244577"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9\u0026tag=1779244988"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3Aacb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9\u0026tag=1779244697"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3A2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5?arch=s390x\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9\u0026tag=1779243501"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-hypershift-velero-plugin-rhel9@sha256%3A326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9\u0026tag=1779244652"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel9@sha256%3Ad2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9\u0026tag=1779244923"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-mustgather-rhel9@sha256%3Aac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel9\u0026tag=1779770057"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-non-admin-rhel9@sha256%3Affeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-non-admin-rhel9\u0026tag=1779243495"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-rhel9-operator@sha256%3A8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-rhel9-operator\u0026tag=1779843906"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-rhel9@sha256%3A0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel9\u0026tag=1779808027"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-rhel9@sha256%3Aa7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel9\u0026tag=1779245274"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel9@sha256%3A3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9\u0026tag=1779244577"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel9@sha256%3A2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9\u0026tag=1779244988"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-legacy-aws-rhel9@sha256%3A39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9\u0026tag=1779244697"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"product": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"product_id": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256%3Affaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16?arch=ppc64le\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9\u0026tag=1779243501"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64 as a component of OpenShift API for Data Protection 1.5",
"product_id": "OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
},
"product_reference": "registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64",
"relates_to_product_reference": "OpenShift API for Data Protection 1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25679",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-03-06T22:02:11.567841+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445356"
}
],
"notes": [
{
"category": "description",
"text": "The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/url: Incorrect parsing of IPv6 host literals in net/url",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-25679"
},
{
"category": "external",
"summary": "RHBZ#2445356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"category": "external",
"summary": "https://go.dev/cl/752180",
"url": "https://go.dev/cl/752180"
},
{
"category": "external",
"summary": "https://go.dev/issue/77578",
"url": "https://go.dev/issue/77578"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4601",
"url": "https://pkg.go.dev/vuln/GO-2026-4601"
}
],
"release_date": "2026-03-06T21:28:14.211000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "net/url: Incorrect parsing of IPv6 host literals in net/url"
},
{
"cve": "CVE-2026-27137",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-03-06T22:01:38.859733+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2445345"
}
],
"notes": [
{
"category": "description",
"text": "A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: Incorrect enforcement of email constraints in crypto/x509",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27137"
},
{
"category": "external",
"summary": "RHBZ#2445345",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445345"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27137",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27137"
},
{
"category": "external",
"summary": "https://go.dev/cl/752182",
"url": "https://go.dev/cl/752182"
},
{
"category": "external",
"summary": "https://go.dev/issue/77952",
"url": "https://go.dev/issue/77952"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk",
"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4599",
"url": "https://pkg.go.dev/vuln/GO-2026-4599"
}
],
"release_date": "2026-03-06T21:28:13.748000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: Incorrect enforcement of email constraints in crypto/x509"
},
{
"cve": "CVE-2026-32280",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-04-08T02:01:19.572351+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456339"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32280"
},
{
"category": "external",
"summary": "RHBZ#2456339",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"category": "external",
"summary": "https://go.dev/cl/758320",
"url": "https://go.dev/cl/758320"
},
{
"category": "external",
"summary": "https://go.dev/issue/78282",
"url": "https://go.dev/issue/78282"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4947",
"url": "https://pkg.go.dev/vuln/GO-2026-4947"
}
],
"release_date": "2026-04-08T01:06:58.595000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
},
{
"cve": "CVE-2026-32281",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2026-04-08T02:01:00.930989+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s `crypto/x509` package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service (DoS) for applications or systems performing certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw occurs during the validation of otherwise trusted certificate chains that contain a large number of policy mappings, leading to excessive resource consumption. Exploitation requires an attacker to present a specially crafted, yet trusted, certificate chain which would require the attacker has already compromised a trusted certificate root. Red Hat continuously monitors certificate authorities and curates the set which is trusted by default for Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32281"
},
{
"category": "external",
"summary": "RHBZ#2456333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32281",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"category": "external",
"summary": "https://go.dev/cl/758061",
"url": "https://go.dev/cl/758061"
},
{
"category": "external",
"summary": "https://go.dev/issue/78281",
"url": "https://go.dev/issue/78281"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4946",
"url": "https://pkg.go.dev/vuln/GO-2026-4946"
}
],
"release_date": "2026-04-08T01:06:58.354000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation"
},
{
"cve": "CVE-2026-32282",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"discovery_date": "2026-04-08T02:01:12.683211+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456336"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the `Root.Chmod` function is replaced with a symbolic link during execution, specifically after `Root.Chmod` checks the target but before acting, the `chmod` operation will be performed on the file the symbolic link points to. This issue can bypass directory restrictions and lead to unauthorized permission changes on the filesystem.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs access to the system and the required permissions to create a symbolic link. Additionally, the attacker must swap the target file with a symbolic link in the exact window after the `Root.Chmod` function checks its target but before acting. Due to these conditions, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32282"
},
{
"category": "external",
"summary": "RHBZ#2456336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32282"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"category": "external",
"summary": "https://go.dev/cl/763761",
"url": "https://go.dev/cl/763761"
},
{
"category": "external",
"summary": "https://go.dev/issue/78293",
"url": "https://go.dev/issue/78293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4864",
"url": "https://pkg.go.dev/vuln/GO-2026-4864"
}
],
"release_date": "2026-04-08T01:06:55.953000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root"
},
{
"cve": "CVE-2026-33186",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-03-20T23:02:27.802640+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449833"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed `:path` that omits the mandatory leading slash. This allows the attacker to bypass defined security policies, potentially leading to unauthorized access to services or information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "RHBZ#2449833",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449833"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33186",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33186"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"category": "external",
"summary": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"release_date": "2026-03-20T22:23:32.147000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "To mitigate this issue, implement infrastructure-level normalization to ensure all incoming HTTP/2 `:path` headers are properly formatted with a leading slash before reaching the gRPC-Go server. This can be achieved by configuring a reverse proxy or API gateway to validate and normalize the `:path` header. Ensure that any such intermediary is properly configured and restarted to apply the changes, which may temporarily impact service availability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation"
},
{
"cve": "CVE-2026-33747",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T02:01:29.921765+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452076"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33747"
},
{
"category": "external",
"summary": "RHBZ#2452076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452076"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33747",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33747"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33747"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"
}
],
"release_date": "2026-03-27T00:49:06.165000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, avoid using untrusted BuildKit frontends. Restrict the use of custom BuildKit frontends to only those from verified and trusted sources. Do not specify untrusted frontends via `#syntax` or `--build-arg BUILDKIT_SYNTAX`.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend"
},
{
"cve": "CVE-2026-33748",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-27T15:02:00.107493+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452271"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33748"
},
{
"category": "external",
"summary": "RHBZ#2452271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452271"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33748",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33748"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33748"
},
{
"category": "external",
"summary": "https://docs.docker.com/build/concepts/context/#url-fragments",
"url": "https://docs.docker.com/build/concepts/context/#url-fragments"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
"url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
},
{
"category": "external",
"summary": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg",
"url": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg"
}
],
"release_date": "2026-03-27T14:00:21.200000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components"
},
{
"cve": "CVE-2026-33810",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-08T02:01:09.100830+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `crypto/x509` package within Go (golang). When verifying a certificate chain, excluded DNS (Domain Name System) constraints are not correctly applied to wildcard DNS Subject Alternative Names (SANs) if the case of the SAN differs from the constraint. This oversight could allow an attacker to bypass certificate validation, potentially leading to the acceptance of a malicious certificate that should have been rejected. This issue specifically impacts the validation of trusted certificate chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33810"
},
{
"category": "external",
"summary": "RHBZ#2456335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"category": "external",
"summary": "https://go.dev/cl/763763",
"url": "https://go.dev/cl/763763"
},
{
"category": "external",
"summary": "https://go.dev/issue/78332",
"url": "https://go.dev/issue/78332"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4866",
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
}
],
"release_date": "2026-04-08T01:06:56.546000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application"
},
{
"cve": "CVE-2026-34986",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-06T17:01:34.639203+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
],
"known_not_affected": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "RHBZ#2455470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34986",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34986"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"category": "external",
"summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"category": "external",
"summary": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"release_date": "2026-04-06T16:22:45.353000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-17T12:57:45+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:26568"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:04cd0a20d0f47d97111301293bdded1eb3c4b303c9276e39f00b61af649ef77e_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:326e5c4f290916e99455d128911cdebcc2f476128004e4b4df1903a1a621a366_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:5cc12932887111178da936ab430e9f16b7f710a4ae98c7f1e8698720624b0b6d_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-hypershift-velero-plugin-rhel9@sha256:fda6c87a82490205e0cf97028fe6750e5407b677fb4d0a38d9d3b95e8af396d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:31bb587a13b02aeda8a55639f800020d68e6e91d1e37a0346bc0c09819254940_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:c7707d79297ad9e86a6061721ddbbab1ad389482d2c9e894268e1ef09a5311cf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:cf1a0fdd87815165d037d8361af27a7caa6ba4d2236767a649dfbc62090940a9_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:d2aa0a929a06d94eb17c23df9ba182ab0fa72c70cf67fc0144e4dfb3ea0c8e29_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:15a5dc9571818879988dfdc824ee63fdde8b1e7eb60ea3a6a80e0f8d7e35f07c_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:99ee1439b65c10715d8c68db82d34c940b35d49333e75206342c4071ac6b7ea9_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:ac6657db103d21fe3087af65ac5db65674808c076108e7e72d44f446a6c06fde_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-mustgather-rhel9@sha256:f0eeb401ff9af1cf1a1ec7f675af1b971d333b1b9a060f733583a0505ef755d6_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1011b71da5144aa87b41fad553e2595d37b0c00e84f3f9ef2fc5bc297c6c23b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:1ef599161ea817eaa39ae9122badc5947fcbfa734deecb1c508d64f381f52a3e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:5ce37061b7f2425eb90d2eabdb7d677213ce1a3ac70ef9388ded3d4d5ac0b745_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-non-admin-rhel9@sha256:ffeacd359cf277418e33a260740e4cb51e1ee2bf5e4cc9da70940099653e2115_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-operator-bundle@sha256:71d4d68dca0037032b54a9a0cb297ef5510f8527645e15fec482d38bef97c88b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:2c744015aa83e60af29a0f9afaf79b8989e30fbe0691b355a4934cbba8d875c7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:4f65efff92d7ca27642d56953725a881b0f5ec7c9e1e93665d071db125be6e99_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:8eacd52ce856b89c38ac209d4fc66bd8c3d196c54de6ad055edc1a8d39d9744c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-rhel9-operator@sha256:f1b973faeb4b97b79f94cb0d694f73bc90ba0d253fefadfd2b6c0a7994529ae4_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:3f7a2d92d75b52a54a9a75eb336bb0b4f31e1ad0e9f269f18ebad4975b9872c1_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:7fd8a157a73564f926e0ca1c5076745451a5b2746a93f0991bba14a0c29f6d14_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:b3aacb1ba2bc094bb4eee59348a9ff057c74944cbbf9fc9ab52d09d54c137a8b_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel9@sha256:da0495c5e76fec75eb6106b8926ab50b56fd6aa4171c008a16550c54aa32244e_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:2c490d9d3c4d176d8d8a396626525536cdd37236f9be86e73bb647cac9d07845_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7dbbe65df390d71e5af07b55c1768ccb716200a43e4af4a4c5613f538cf402ed_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:7f7f67f8c6975ffd963434a51078bc22588badff0dbbbc338b5d0245a48e5ccf_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:c1e17277ad0857c83172bdda7f1d4ac583f85021306aa366c1bc1ac47ecd4f1a_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:39c9533ab8147da38dc1da75c842bdd9605c27e44e5bd6958216eb6c090aa2bc_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:765383ad0e9e62368e91b9ac4945d3f253f5cb5329bb531d725f34306e6ecad7_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:acb1707f8ad2165040856ff90282264e42f013cfead52cb5e2740eb471b884fc_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-legacy-aws-rhel9@sha256:b3da6df1cc941e1d2044429f1361fd5b37b108a8c2bf672296c37ac31d561bd8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:071c8c18a00c2762d439d3021888a21a63f326e62fa229ac2cb5be664bf23c48_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:1718e9188458574e6c33c73165d30078075fec0751044ef19affe99358f2960b_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:2b96f4912ed60316e9e914cc01ee7fd5af2293e22108c571cf0663e120a2e7d5_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:ffaccfe0ee5b0acd0d1f1a07da6fec010c4ecbb6521df6852f22428b7f005c16_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:39d8fef61373de14483aad9c4723a410d0de00ee59063f804a23104279661911_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:47ab49d1e7a2175b06b1e73c79f1b98dc55778adc0638b6a6eb36bed0e7343b8_arm64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:a7dac46731507954f181d2a1766cda4d973ea07127757e1527a4ece7a09d3c1c_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-plugin-rhel9@sha256:bc1f7b04f4860fa4a8136331f541e9dd8497a16357e5b428c7fcdcc50f1241ee_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:0baee9f43009c32438afaf4a2578c4bbe6f13d941ebfd584ad9223269ceed20b_ppc64le",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:99ce5ccdbbe48df5c5323d8660e2609f24da8fe998dee969f0d555dad08aae5e_s390x",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:c9c234723ce4f834fe75e89636aedc7afc488d717439639728ab82dfe73ec4f8_amd64",
"OpenShift API for Data Protection 1.5:registry.redhat.io/oadp/oadp-velero-rhel9@sha256:f05cab7b47366dd652982905e2d9a5d4abcd0e1a5a2561b0d078c20e889e14cb_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…