Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2019-20920
Vulnerability from cvelistv5
Published
2020-09-30 12:30
Modified
2024-08-05 03:00
Severity ?
EPSS score ?
Summary
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 | Third Party Advisory | |
cve@mitre.org | https://www.npmjs.com/advisories/1316 | Exploit, Third Party Advisory | |
cve@mitre.org | https://www.npmjs.com/advisories/1324 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.npmjs.com/advisories/1316 | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.npmjs.com/advisories/1324 | Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T03:00:18.770Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.npmjs.com/advisories/1316" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.npmjs.com/advisories/1324" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-09-30T12:30:56", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.npmjs.com/advisories/1316" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.npmjs.com/advisories/1324" }, { "tags": [ "x_refsource_MISC" ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20920", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.npmjs.com/advisories/1316", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1316" }, { "name": "https://www.npmjs.com/advisories/1324", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1324" }, { "name": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-20920", "datePublished": "2020-09-30T12:30:56", "dateReserved": "2020-09-30T00:00:00", "dateUpdated": "2024-08-05T03:00:18.770Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-20920\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-09-30T18:15:17.927\",\"lastModified\":\"2024-11-21T04:39:41.583\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS).\"},{\"lang\":\"es\",\"value\":\"Handlebars versiones anteriores a 3.0.8 y versiones 4.x anteriores a 4.5.3, son vulnerables a una ejecuci\u00f3n de c\u00f3digo arbitraria.\u0026#xa0;El asistente de b\u00fasqueda no comprueba apropiadamente las plantillas, permitiendo a atacantes enviar plantillas que ejecutan JavaScript arbitrario.\u0026#xa0;Esto se puede ser usado para ejecutar c\u00f3digo arbitrario en un servidor que procesa las plantillas de Handlebars o en el navegador de una v\u00edctima (que sirve efectivamente como un XSS)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":5.3}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.0.8\",\"matchCriteriaId\":\"BB7C04DC-7BC4-4508-8D18-C2FB5AC8468D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.5.3\",\"matchCriteriaId\":\"23E88C1D-4DAA-42FC-93F6-A0ECD21482D4\"}]}]}],\"references\":[{\"url\":\"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1316\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1324\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1316\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1324\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
rhsa-2020_5179
Vulnerability from csaf_redhat
Published
2020-11-24 13:10
Modified
2024-11-24 20:21
Summary
Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update
Notes
Topic
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The org.ovirt.engine-root is a core component of oVirt.
The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)
Security Fix(es):
* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)
* Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)
* If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)
* Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)
* [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)
* enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)
* NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)
* Adding quota to group doesn't propagate to users (BZ#1822372)
* Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)
* Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)
* RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)
* Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)
* rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
* RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)
* Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)
* HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
* [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)
* VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)
* Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)
* unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)
* [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)
* Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
* [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
* Require ansible-2.9.14 in ovirt-engine (BZ#1888626)
Enhancement(s):
* [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
* [RFE] - enable renaming HostedEngine VM name (BZ#1657294)
* [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
* [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)
* [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
* [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)
* [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Virtualization Engine 4.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The org.ovirt.engine-root is a core component of oVirt.\n\nThe following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)\n\nSecurity Fix(es):\n\n* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)\n\n* Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)\n\n* If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)\n\n* Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)\n\n* [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)\n\n* enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)\n\n* NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)\n\n* Adding quota to group doesn\u0027t propagate to users (BZ#1822372)\n\n* Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)\n\n* Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)\n\n* RHV-M shows successful operation if OVA export/import failed during \"qemu-img convert\" phase (BZ#1854888)\n\n* Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)\n\n* rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)\n\n* RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)\n\n* Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)\n\n* HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)\n\n* [CNV\u0026RHV]Notification about VM creation contain \u003cUNKNOWN\u003e string (BZ#1873136)\n\n* VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)\n\n* Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)\n\n* unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)\n\n* [CNV\u0026RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)\n\n* Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)\n\n* [CNV\u0026RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)\n\n* Require ansible-2.9.14 in ovirt-engine (BZ#1888626)\n\nEnhancement(s):\n\n* [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)\n\n* [RFE] - enable renaming HostedEngine VM name (BZ#1657294)\n\n* [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)\n\n* [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)\n\n* [RFE] RHV-M Deployment/Install Needs it\u0027s own UUID (BZ#1825020)\n\n* [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)\n\n* [RFE] Expose the \"reinstallation required\" flag of the hosts in the API (BZ#1856671)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:5179", "url": "https://access.redhat.com/errata/RHSA-2020:5179" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "1613514", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613514" }, { "category": "external", "summary": "1657294", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1657294" }, { "category": "external", "summary": "1691253", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1691253" }, { "category": "external", "summary": "1702016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702016" }, { "category": "external", "summary": "1752751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752751" }, { "category": "external", "summary": "1760170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1760170" }, { "category": "external", "summary": "1797717", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797717" }, { "category": "external", "summary": "1808320", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1808320" }, { "category": "external", "summary": "1811466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811466" }, { "category": "external", "summary": "1812316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812316" }, { "category": "external", "summary": "1822372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1822372" }, { "category": "external", "summary": "1825020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1825020" }, { "category": "external", "summary": "1828241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828241" }, { "category": "external", "summary": "1829691", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829691" }, { "category": "external", "summary": "1842344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842344" }, { "category": "external", "summary": "1845432", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1845432" }, { "category": "external", "summary": "1851865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1851865" }, { "category": "external", "summary": "1854888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854888" }, { "category": "external", "summary": "1855305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855305" }, { "category": "external", "summary": "1856671", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856671" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1859314", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859314" }, { "category": "external", "summary": "1862101", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1862101" }, { "category": "external", "summary": "1866981", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866981" }, { "category": "external", "summary": "1870133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870133" }, { "category": "external", "summary": "1871694", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871694" }, { "category": "external", "summary": "1872911", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1872911" }, { "category": "external", "summary": "1873136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873136" }, { "category": "external", "summary": "1876923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1876923" }, { "category": "external", "summary": "1877632", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877632" }, { "category": "external", "summary": "1877679", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877679" }, { "category": "external", "summary": "1879199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879199" }, { "category": "external", "summary": "1879280", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879280" }, { "category": "external", "summary": "1879377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879377" }, { "category": "external", "summary": "1881634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881634" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1883844", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883844" }, { "category": "external", "summary": "1884146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1884146" }, { "category": "external", "summary": "1884634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1884634" }, { "category": "external", "summary": "1885976", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885976" }, { "category": "external", "summary": "1887268", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887268" }, { "category": "external", "summary": "1888626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888626" }, { "category": "external", "summary": "1889522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1889522" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_5179.json" } ], "title": "Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-11-24T20:21:44+00:00", "generator": { "date": "2024-11-24T20:21:44+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2020:5179", "initial_release_date": "2020-11-24T13:10:41+00:00", "revision_history": [ { "date": "2020-11-24T13:10:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-11-24T13:10:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-24T20:21:44+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product": { "name": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product_id": "engine-db-query-0:1.6.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/engine-db-query@1.6.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product_id": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-logger-log4j@1.1.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product_id": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product_id": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.6-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product_id": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-grafana-integration-setup@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-setup@4.4.3.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product_id": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.5-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product_id": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap-setup@1.4.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product_id": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-metrics@1.4.2.1-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.3.8-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.3.8-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "engine-db-query-0:1.6.2-1.el8ev.src", "product": { "name": "engine-db-query-0:1.6.2-1.el8ev.src", "product_id": "engine-db-query-0:1.6.2-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/engine-db-query@1.6.2-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product_id": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-logger-log4j@1.1.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product_id": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product_id": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.6-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product_id": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.2.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product_id": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.4.3.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product_id": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.6.5-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product_id": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-extension-aaa-ldap@1.4.2-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product_id": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-metrics@1.4.2.1-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.3.8-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "engine-db-query-0:1.6.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch" }, "product_reference": "engine-db-query-0:1.6.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "engine-db-query-0:1.6.2-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src" }, "product_reference": "engine-db-query-0:1.6.2-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src" }, "product_reference": "ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src" }, "product_reference": "ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src" }, "product_reference": "ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch" }, "product_reference": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src" }, "product_reference": "ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src" }, "product_reference": "ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch" }, "product_reference": "ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src" }, "product_reference": "ovirt-log-collector-0:4.4.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch" }, "product_reference": "ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.6.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" }, "product_reference": "ovirt-web-ui-0:1.6.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.3.8-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.3.8-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.6-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-11-24T13:10:41+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-11-24T13:10:41+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.noarch", "8Base-RHV-S-4.4:engine-db-query-0:1.6.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.4.3.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.4.3.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-0:1.4.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-extension-aaa-ldap-setup-0:1.4.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-extension-logger-log4j-0:1.1.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-metrics-0:1.4.2.1-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.2.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.6.5-1.el8ev.src", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.5-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.6-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-11-24T13:10:41+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:5179" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.3.8-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.3.8-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.3.8-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" } ] }
rhsa-2023_1334
Vulnerability from csaf_redhat
Published
2023-03-20 09:15
Modified
2024-11-15 12:04
Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.2 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)
* handlebars: nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* handlebars: nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)
* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)
* rhpam-7-businesscentral-rhel8-container: maven: Block repositories using http by default (CVE-2021-26291)
* unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class (CVE-2018-1000134)
* handlebars: nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads (CVE-2019-19919)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)\n\n* handlebars: nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* handlebars: nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)\n\n* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)\n\n* rhpam-7-businesscentral-rhel8-container: maven: Block repositories using http by default (CVE-2021-26291)\n\n* unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class (CVE-2018-1000134)\n\n* handlebars: nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads (CVE-2019-19919)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1334", "url": "https://access.redhat.com/errata/RHSA-2023:1334" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "1501529", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501529" }, { "category": "external", "summary": "1557531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531" }, { "category": "external", "summary": "1789959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1948761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761" }, { "category": "external", "summary": "1955739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739" }, { "category": "external", "summary": "1956688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1334.json" } ], "title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.2 security update", "tracking": { "current_release_date": "2024-11-15T12:04:11+00:00", "generator": { "date": "2024-11-15T12:04:11+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1334", "initial_release_date": "2023-03-20T09:15:52+00:00", "revision_history": [ { "date": "2023-03-20T09:15:52+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-20T09:15:52+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T12:04:11+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHPAM 7.13.1 async", "product": { "name": "RHPAM 7.13.1 async", "product_id": "RHPAM 7.13.1 async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } } } ], "category": "product_family", "name": "Red Hat Process Automation Manager" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-12629", "cwe": { "id": "CWE-138", "name": "Improper Neutralization of Special Elements" }, "discovery_date": "2017-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1501529" } ], "notes": [ { "category": "description", "text": "It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr\u0027s Config API.", "title": "Vulnerability description" }, { "category": "summary", "text": "Solr: Code execution via entity expansion", "title": "Vulnerability summary" }, { "category": "other", "text": "The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue.\nRed Hat JBoss Enterprise Application Platform 6\nRed Hat JBoss BPM Suite\nRed Hat JBoss BRMS\nRed Hat Enterprise Virtualization Manager\nRed Hat Single Sign-On 7\nRed Hat JBoss Portal Platform 6\n\nRed Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release.\n\nRed Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided.\n\nThe following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products:\nRed Hat JBoss Data Grid 7 \nRed Hat Enterprise Linux 6\nRed Hat Software Collections 2.4\n\nThis issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5.\n\nThis issue does not affect Elasticsearch as shipped in OpenShift Container Platform.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-12629" }, { "category": "external", "summary": "RHBZ#1501529", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501529" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-12629", "url": "https://www.cve.org/CVERecord?id=CVE-2017-12629" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-12629", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12629" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/CVE-2017-12629", "url": "https://access.redhat.com/security/vulnerabilities/CVE-2017-12629" } ], "release_date": "2017-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" }, { "category": "workaround", "details": "Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config.\n\nThis is sufficient to protect from this type of attack, but means you cannot use the edit capabilities of the Config API until further fixes are in place.", "product_ids": [ "RHPAM 7.13.1 async" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Solr: Code execution via entity expansion" }, { "cve": "CVE-2018-1000134", "cwe": { "id": "CWE-284", "name": "Improper Access Control" }, "discovery_date": "2018-03-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1557531" } ], "notes": [ { "category": "description", "text": "UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn\u0027t check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.", "title": "Vulnerability description" }, { "category": "summary", "text": "unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Virtualization does not use the UnboundID SDK in synchronous mode, and hence does not expose this vulnerability in its default configuration.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-1000134" }, { "category": "external", "summary": "RHBZ#1557531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000134", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000134" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134" }, { "category": "external", "summary": "https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/", "url": "https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/" } ], "release_date": "2018-03-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class" }, { "cve": "CVE-2019-19919", "cwe": { "id": "CWE-471", "name": "Modification of Assumed-Immutable Data (MAID)" }, "discovery_date": "2020-01-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1789959" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object\u0027s __proto__ and __defineGetter__ properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so it has been given a low impact rating.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-19919" }, { "category": "external", "summary": "RHBZ#1789959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-19919", "url": "https://www.cve.org/CVERecord?id=CVE-2019-19919" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919" } ], "release_date": "2019-09-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads" }, { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2021-23369", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)" }, "discovery_date": "2021-04-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1948761" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. \nThe openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.\n\nIn OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"strict\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.\n\nIn Red Hat Virtualization ovirt-engine-ui-extensions and ovirt-web-ui Handlebars.js is included as a dependency of conventional-changelog-writer, it does not impact production code and as such has been given a low impact rating and set to wontfix. Handlebars.js may be updated to a newer version in future updates.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23369" }, { "category": "external", "summary": "RHBZ#1948761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23369", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23369" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option" }, { "cve": "CVE-2021-23383", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)" }, "discovery_date": "2021-04-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1956688" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component which includes Handlebars.js. Starting in 4.6, kibana is shipping as \"container first\" content. As such, the fix for OCP will be seen in the affected products table under openshift4/ose-logging-kibana6. The separate package \"kibana\" listed under \"OpenShift Container Platform 4\" is only used by 4.5 and earlier and will not be fixed.\n\nIn OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"compat\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23383" }, { "category": "external", "summary": "RHBZ#1956688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23383", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23383" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option" }, { "cve": "CVE-2021-26291", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1955739" } ], "notes": [ { "category": "description", "text": "A flaw was found in maven. Repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "maven: Block repositories using http by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-26291" }, { "category": "external", "summary": "RHBZ#1955739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-26291", "url": "https://www.cve.org/CVERecord?id=CVE-2021-26291" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291" }, { "category": "external", "summary": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291", "url": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291" } ], "release_date": "2021-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-20T09:15:52+00:00", "details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1334" }, { "category": "workaround", "details": "To avoid possible man-in-the-middle related attacks with this flaw, ensure any linked repositories in maven POMs use https and not http.", "product_ids": [ "RHPAM 7.13.1 async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "maven: Block repositories using http by default" } ] }
rhsa-2021_2500
Vulnerability from csaf_redhat
Published
2021-06-29 06:30
Modified
2024-11-13 22:22
Summary
Red Hat Security Advisory: Red Hat OpenShift Enterprise security and bug fix update
Notes
Topic
Red Hat OpenShift Container Platform release 4.6.36 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)
* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Setting up Kibana and Elasticsearch replica to 0, Kibana pods are created and indexmanagement jobs (BZ#1942609)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.36 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Setting up Kibana and Elasticsearch replica to 0, Kibana pods are created and indexmanagement jobs (BZ#1942609)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:2500", "url": "https://access.redhat.com/errata/RHSA-2021:2500" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1942609", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942609" }, { "category": "external", "summary": "1948761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761" }, { "category": "external", "summary": "1956688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2500.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Enterprise security and bug fix update", "tracking": { "current_release_date": "2024-11-13T22:22:31+00:00", "generator": { "date": "2024-11-13T22:22:31+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.0" } }, "id": "RHSA-2021:2500", "initial_release_date": "2021-06-29T06:30:05+00:00", "revision_history": [ { "date": "2021-06-29T06:30:05+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-06-29T06:30:05+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-13T22:22:31+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "product": { "name": "openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "product_id": "openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-logging-operator\u0026tag=v4.6.0-202106181629.p0.git.c7e8377" } } }, { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "product_id": "openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202106181629.p0.git.c07c7ab" } } }, { "category": "product_version", "name": "openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "product": { "name": "openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "product_id": "openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-curator5\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "product": { "name": "openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "product_id": "openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-fluentd\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "product": { "name": "openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "product_id": "openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "product": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "product_id": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-jenkins-agent-nodejs-10-rhel8\u0026tag=v4.6.0-202106160917.p0.git.4d96f05" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "product": { "name": "openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "product_id": "openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-logging-operator\u0026tag=v4.6.0-202106181629.p0.git.c7e8377" } } }, { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "product_id": "openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202106181629.p0.git.c07c7ab" } } }, { "category": "product_version", "name": "openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "product": { "name": "openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "product_id": "openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-curator5\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "product": { "name": "openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "product_id": "openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-fluentd\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64", "product": { "name": "openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64", "product_id": "openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "product": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "product_id": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-jenkins-agent-nodejs-10-rhel8\u0026tag=v4.6.0-202106160917.p0.git.4d96f05" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202106160917.p0.git.d74112d" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "product": { "name": "openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "product_id": "openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-logging-operator\u0026tag=v4.6.0-202106181629.p0.git.c7e8377" } } }, { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "product_id": "openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202106181629.p0.git.c07c7ab" } } }, { "category": "product_version", "name": "openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "product": { "name": "openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "product_id": "openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-curator5\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "product": { "name": "openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "product_id": "openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-fluentd\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "product": { "name": "openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "product_id": "openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.6.0-202106181629.p0.git.40f3e72" } } }, { "category": "product_version", "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "product": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "product_id": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-jenkins-agent-nodejs-10-rhel8\u0026tag=v4.6.0-202106160917.p0.git.4d96f05" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le" }, "product_reference": "openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64" }, "product_reference": "openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x" }, "product_reference": "openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le" }, "product_reference": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64" }, "product_reference": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x" }, "product_reference": "openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64" }, "product_reference": "openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x" }, "product_reference": "openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le" }, "product_reference": "openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64" }, "product_reference": "openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x" }, "product_reference": "openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le" }, "product_reference": "openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x" }, "product_reference": "openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le" }, "product_reference": "openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" }, "product_reference": "openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-06-29T06:30:05+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:2500" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-06-29T06:30:05+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:2500" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2021-23369", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)" }, "discovery_date": "2021-04-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1948761" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. \nThe openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.\n\nIn OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"strict\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.\n\nIn Red Hat Virtualization ovirt-engine-ui-extensions and ovirt-web-ui Handlebars.js is included as a dependency of conventional-changelog-writer, it does not impact production code and as such has been given a low impact rating and set to wontfix. Handlebars.js may be updated to a newer version in future updates.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23369" }, { "category": "external", "summary": "RHBZ#1948761", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23369", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23369" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-06-29T06:30:05+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:2500" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option" }, { "cve": "CVE-2021-23383", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)" }, "discovery_date": "2021-04-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1956688" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component which includes Handlebars.js. Starting in 4.6, kibana is shipping as \"container first\" content. As such, the fix for OCP will be seen in the affected products table under openshift4/ose-logging-kibana6. The separate package \"kibana\" listed under \"OpenShift Container Platform 4\" is only used by 4.5 and earlier and will not be fixed.\n\nIn OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"compat\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:9ec64bf850e6ecf3d8b74c1d3bc96e3ef813be52c782b653b4d1de0a3912d97c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:b79954d4318d225f17b3a39a83a2b23090201849010147bea007ba1187364224_amd64", "8Base-RHOSE-4.6:openshift4/ose-cluster-logging-operator@sha256:f9003b1a4d6f0a2cc033f4d39e25592c3a509393ba13e857c1ad4251db9045ca_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:0aacdde0fe2cd3e3332d75f557a5127e81f22543d403286b563d5b53907fabbc_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:183a9a68771f4685064abcf6e4df19efcc9597eee3d140d05194db183327e9c5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:b53a9453c35968050accabadcdd4fc918b3893861a5152a5aa92ed6e79d87b67_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:6a9a798c1b961fb17f1685dc3e8b4c8380fb2d5efc59f9f611ac9494793e5b01_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:829dc83ff6afbdf52f795f0ee46ab8ccfd154ed09760971183a9e87d90b834fe_amd64", "8Base-RHOSE-4.6:openshift4/ose-jenkins-agent-nodejs-10-rhel8@sha256:984875b9b014c265f25e5ea8b7a4266d48a83ecc23c3862dcb3a0caec8f6c43f_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:69ae721c70713d7b96c8cb7310f027106240f69356c8a7f23db85428d3fd7748_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:75485d0c331b66fa4996cd2f642e370d241fc93560214a40ce2fd9385b7f3946_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-curator5@sha256:c740bbd097ad59afda31268852167ef831ea68cb5890984482d0749dfa68de97_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:566d93dc1560cd55dad6122214bcfde9a58cd3fdcb0f07e8a7102b30a3a111f2_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:9422f9defd336d0f88bfb90c30ece336f06dd4524fdcc98a2d73d0fcfb7921bc_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:d4a56c38d2481af3f5be1e12499849c6630b80f2210e15df0925828780548a60_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:402a4a1cff69e71f4f6748c2cfb41577d884d3336bba6097e35fe93bcf7d0e5a_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:511b93c6e86d30f43d31ef06d1b998202d1f7ef3517a0d0432bbef97f3da8b51_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-fluentd@sha256:a3efef334dffd89a498460e5965f96d2097e36ebdf9f29a9cce66f8f46b528f5_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:07b66cb72cbb2208c20dd20fa0ee2b711ea8519f9171ccaa6ed721ef709026c4_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23383" }, { "category": "external", "summary": "RHBZ#1956688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23383", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23383" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-06-29T06:30:05+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:2500" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:2ebb7a246cf1e286e187f02db46342749a801bd3daf562aeddf283e36b5776ea_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:a56a03988a016b7b9f4f54cffa91667dff7af9fc436ca49385369dca75aa6f29_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-kibana6@sha256:dcad4765e041cee0ccc825603f7a4c3250ffd3577a66778f5140dfee58fdbc2c_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option" } ] }
rhsa-2021_3917
Vulnerability from csaf_redhat
Published
2021-10-19 12:09
Modified
2024-11-24 20:23
Summary
Red Hat Security Advisory: Red Hat Quay v3.6.0 security, bug fix and enhancement update
Notes
Topic
An update is now available for Red Hat Quay 3.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Quay 3.6.0 release
Security Fix(es):
* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)
* nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)
* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)
* nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)
* nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)
* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
* nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)
* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
* python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)
* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
* python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)
* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)
* python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)
* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
* nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)
* python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)
* python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)
* python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)
* python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)
* nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)
* lodash: Prototype pollution in utilities function (CVE-2018-3721)
* hoek: Prototype pollution in utilities function (CVE-2018-3728)
* lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)
* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
* python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Quay 3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Quay 3.6.0 release\n\nSecurity Fix(es):\n\n* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)\n\n* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)\n\n* nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)\n\n* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)\n\n* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)\n\n* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)\n\n* nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)\n\n* nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)\n\n* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)\n\n* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)\n\n* python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)\n\n* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)\n\n* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)\n\n* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)\n\n* python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)\n\n* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)\n\n* python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)\n\n* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)\n\n* nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)\n\n* python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)\n\n* python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)\n\n* python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)\n\n* python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)\n\n* nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)\n\n* lodash: Prototype pollution in utilities function (CVE-2018-3721)\n\n* hoek: Prototype pollution in utilities function (CVE-2018-3728)\n\n* lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)\n\n* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)\n\n* python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:3917", "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1500700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500700" }, { "category": "external", "summary": "1500705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500705" }, { "category": "external", "summary": "1545884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545884" }, { "category": "external", "summary": "1545893", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545893" }, { "category": "external", "summary": "1546357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1546357" }, { "category": "external", "summary": "1547272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547272" }, { "category": "external", "summary": "1608140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608140" }, { "category": "external", "summary": "1743096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743096" }, { "category": "external", "summary": "1840004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1840004" }, { "category": "external", "summary": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "1857977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" }, { "category": "external", "summary": "1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "1901662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901662" }, { "category": "external", "summary": "1915257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915257" }, { "category": "external", "summary": "1915420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915420" }, { "category": "external", "summary": "1915424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915424" }, { "category": "external", "summary": "1927293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927293" }, { "category": "external", "summary": "1934470", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934470" }, { "category": "external", "summary": "1934474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934474" }, { "category": "external", "summary": "1934680", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934680" }, { "category": "external", "summary": "1934685", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934685" }, { "category": "external", "summary": "1934692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934692" }, { "category": "external", "summary": "1934699", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934699" }, { "category": "external", "summary": "1934705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934705" }, { "category": "external", "summary": "1935384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935384" }, { "category": "external", "summary": "1935396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935396" }, { "category": "external", "summary": "1935401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935401" }, { "category": "external", "summary": "1940759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940759" }, { "category": "external", "summary": "1948763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948763" }, { "category": "external", "summary": "1954150", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954150" }, { "category": "external", "summary": "1955619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955619" }, { "category": "external", "summary": "1982378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1982378" }, { "category": "external", "summary": "PROJQUAY-1417", "url": "https://issues.redhat.com/browse/PROJQUAY-1417" }, { "category": "external", "summary": "PROJQUAY-1449", "url": "https://issues.redhat.com/browse/PROJQUAY-1449" }, { "category": "external", "summary": "PROJQUAY-1535", "url": "https://issues.redhat.com/browse/PROJQUAY-1535" }, { "category": "external", "summary": "PROJQUAY-1583", "url": "https://issues.redhat.com/browse/PROJQUAY-1583" }, { "category": "external", "summary": "PROJQUAY-1609", "url": "https://issues.redhat.com/browse/PROJQUAY-1609" }, { "category": "external", "summary": "PROJQUAY-1610", "url": "https://issues.redhat.com/browse/PROJQUAY-1610" }, { "category": "external", "summary": "PROJQUAY-1791", "url": "https://issues.redhat.com/browse/PROJQUAY-1791" }, { "category": "external", "summary": "PROJQUAY-1883", "url": "https://issues.redhat.com/browse/PROJQUAY-1883" }, { "category": "external", "summary": "PROJQUAY-1887", "url": "https://issues.redhat.com/browse/PROJQUAY-1887" }, { "category": "external", "summary": "PROJQUAY-1926", "url": "https://issues.redhat.com/browse/PROJQUAY-1926" }, { "category": "external", "summary": "PROJQUAY-1998", "url": "https://issues.redhat.com/browse/PROJQUAY-1998" }, { "category": "external", "summary": "PROJQUAY-2050", "url": "https://issues.redhat.com/browse/PROJQUAY-2050" }, { "category": "external", "summary": "PROJQUAY-2100", "url": "https://issues.redhat.com/browse/PROJQUAY-2100" }, { "category": "external", "summary": "PROJQUAY-2102", "url": "https://issues.redhat.com/browse/PROJQUAY-2102" }, { "category": "external", "summary": "PROJQUAY-672", "url": "https://issues.redhat.com/browse/PROJQUAY-672" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3917.json" } ], "title": "Red Hat Security Advisory: Red Hat Quay v3.6.0 security, bug fix and enhancement update", "tracking": { "current_release_date": "2024-11-24T20:23:31+00:00", "generator": { "date": "2024-11-24T20:23:31+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:3917", "initial_release_date": "2021-10-19T12:09:35+00:00", "revision_history": [ { "date": "2021-10-19T12:09:35+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-10-19T12:09:35+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-24T20:23:31+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Quay v3", "product": { "name": "Quay v3", "product_id": "8Base-Quay-3", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3::el8" } } } ], "category": "product_family", "name": "Red Hat Quay" }, { "branches": [ { "category": "product_version", "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product": { "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product_id": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-bundle\u0026tag=v3.6.0-35" } } }, { "category": "product_version", "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product": { "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product_id": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-bridge-operator-rhel8\u0026tag=v3.6.0-40" } } }, { "category": "product_version", "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product": { "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product_id": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-rhel8\u0026tag=v3.6.0-44" } } }, { "category": "product_version", "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product": { "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product_id": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-builder-qemu-rhcos-rhel8\u0026tag=v3.6.0-45" } } }, { "category": "product_version", "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product": { "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product_id": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "product_identification_helper": { "purl": "pkg:oci/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d?arch=amd64\u0026repository_url=registry.redhat.io/quay/clair-rhel8\u0026tag=v3.6.0-70" } } }, { "category": "product_version", "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product": { "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product_id": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-bundle\u0026tag=v3.6.0-37" } } }, { "category": "product_version", "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product": { "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product_id": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-operator-rhel8\u0026tag=v3.6.0-44" } } }, { "category": "product_version", "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product": { "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product_id": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=v3.6.0-48" } } }, { "category": "product_version", "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product": { "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product_id": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-rhel8\u0026tag=v3.6.0-43" } } }, { "category": "product_version", "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product": { "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product_id": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "product_identification_helper": { "purl": "pkg:oci/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8\u0026tag=v3.6.0-62" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64" }, "product_reference": "quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64" }, "product_reference": "quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64" }, "product_reference": "quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64" }, "product_reference": "quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64" }, "product_reference": "quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64" }, "product_reference": "quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64" }, "product_reference": "quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64" }, "product_reference": "quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" }, "product_reference": "quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "relates_to_product_reference": "8Base-Quay-3" }, { "category": "default_component_of", "full_product_name": { "name": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64 as a component of Quay v3", "product_id": "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" }, "product_reference": "quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64", "relates_to_product_reference": "8Base-Quay-3" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-16137", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2017-09-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1500705" } ], "notes": [ { "category": "description", "text": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-debug: Regular expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of rh-nodejs4-nodejs-debug, rh-nodejs6-nodejs-debug, and rh-nodejs8-nodejs-debug as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Virtualization 4.2 EUS includes a vulnerable version of nodejs-debug as a part of the ovirt-engine-api-explorer package. This package is removed in Red Hat Virtualization 4.3.\n\nRed Hat Quay includes the debug library as a dependency of karma-webpack. It is only used at build time, and not runtime so its impact is reduce to low in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-16137" }, { "category": "external", "summary": "RHBZ#1500705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500705" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-16137", "url": "https://www.cve.org/CVERecord?id=CVE-2017-16137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" } ], "release_date": "2017-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-debug: Regular expression Denial of Service" }, { "cve": "CVE-2017-16138", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2017-09-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1500700" } ], "notes": [ { "category": "description", "text": "The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-mime: Regular expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contained a vulnerable version of nodejs-mime in the ovirt-engine-dashboard package. This package has been removed in Red Hat Virtualization 4.2.\n\nRed Hat Quay includes mime as a dependency of Karma. It\u0027s only used at build time, not runtime so this vulnerability has a low impact of Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-16138" }, { "category": "external", "summary": "RHBZ#1500700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500700" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-16138", "url": "https://www.cve.org/CVERecord?id=CVE-2017-16138" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" }, { "category": "external", "summary": "https://nodesecurity.io/advisories/535", "url": "https://nodesecurity.io/advisories/535" } ], "release_date": "2017-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-mime: Regular expression Denial of Service" }, { "cve": "CVE-2018-1107", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-02-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1546357" } ], "notes": [ { "category": "description", "text": "It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat Quay the is-my-json-valid library is included as a build time dependency of protractor. It\u0027s only used at build time, not at runtime reducing the impact to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-1107" }, { "category": "external", "summary": "RHBZ#1546357", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1546357" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1107", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1107" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1107", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1107" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:is-my-json-valid:20180214", "url": "https://snyk.io/vuln/npm:is-my-json-valid:20180214" } ], "release_date": "2018-02-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format" }, { "cve": "CVE-2018-1109", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-02-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1547272" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. The highest threat from this vulnerability is system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes braces as a dependency of webpack. Braces is only used at build time, not at runtime, reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-1109" }, { "category": "external", "summary": "RHBZ#1547272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547272" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1109", "url": "https://www.cve.org/CVERecord?id=CVE-2018-1109" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1109", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1109" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:braces:20180219", "url": "https://snyk.io/vuln/npm:braces:20180219" } ], "release_date": "2018-02-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js" }, { "cve": "CVE-2018-3721", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1545884" } ], "notes": [ { "category": "description", "text": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "title": "Vulnerability description" }, { "category": "summary", "text": "lodash: Prototype pollution in utilities function", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms version 4.7 does not ship component lodash, so isn\u0027t affected by this flaw.\n\nRed Hat Virtualization 4.2 EUS includes a vulnerable version of lodash as part of the ovirt-engine-dashboard package. This package has been removed from Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3721" }, { "category": "external", "summary": "RHBZ#1545884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545884" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3721", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3721" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721" } ], "release_date": "2018-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "lodash: Prototype pollution in utilities function" }, { "cve": "CVE-2018-3728", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-02-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1545893" } ], "notes": [ { "category": "description", "text": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via \u0027merge\u0027 and \u0027applyToDefaults\u0027 functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "title": "Vulnerability description" }, { "category": "summary", "text": "hoek: Prototype pollution in utilities function", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes hoek as a dependency of protractor which is only used at build time. The vulnerable library is not used at runtime meaning this has a low impact on Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3728" }, { "category": "external", "summary": "RHBZ#1545893", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1545893" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3728", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3728" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728" } ], "release_date": "2018-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "hoek: Prototype pollution in utilities function" }, { "cve": "CVE-2018-3774", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-08-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1940759" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-url-parse. The wrong hostname can be returned, due to incorrect parsing, which can lead to a variety of vulnerabilities. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-url-parse: incorrect hostname in url parsing", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-3774" }, { "category": "external", "summary": "RHBZ#1940759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940759" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-3774", "url": "https://www.cve.org/CVERecord?id=CVE-2018-3774" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774" } ], "release_date": "2018-07-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-url-parse: incorrect hostname in url parsing" }, { "cve": "CVE-2018-16492", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2018-07-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1608140" } ], "notes": [ { "category": "description", "text": "A prototype pollution vulnerability was found in module extend \u003c2.0.2, ~\u003c3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-extend: Prototype pollution can allow attackers to modify object properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes \u0027extend\u0027 as a build time dependency. It\u0027s not used at runtime reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-16492" }, { "category": "external", "summary": "RHBZ#1608140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608140" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-16492", "url": "https://www.cve.org/CVERecord?id=CVE-2018-16492" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492" }, { "category": "external", "summary": "https://snyk.io/vuln/npm:extend:20180424", "url": "https://snyk.io/vuln/npm:extend:20180424" } ], "release_date": "2018-04-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-extend: Prototype pollution can allow attackers to modify object properties" }, { "cve": "CVE-2018-21270", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-12-04T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1927293" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-stringstream. Node.js stringstream module is vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay include stringstream as a dependency of Karma. Karma is only used at build time, and not at runtime reducing the impact of this vulnerability to low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-21270" }, { "category": "external", "summary": "RHBZ#1927293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-21270", "url": "https://www.cve.org/CVERecord?id=CVE-2018-21270" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-21270", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-21270" } ], "release_date": "2020-05-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure" }, { "cve": "CVE-2019-20920", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882260" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20920" }, { "category": "external", "summary": "RHBZ#1882260", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20920" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1316", "url": "https://www.npmjs.com/advisories/1316" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1324", "url": "https://www.npmjs.com/advisories/1324" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution" }, { "cve": "CVE-2019-20922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1882256" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20922" }, { "category": "external", "summary": "RHBZ#1882256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1300", "url": "https://www.npmjs.com/advisories/1300" } ], "release_date": "2019-11-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS" }, { "cve": "CVE-2019-1010266", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-07-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1743096" } ], "notes": [ { "category": "description", "text": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", "title": "Vulnerability description" }, { "category": "summary", "text": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-1010266" }, { "category": "external", "summary": "RHBZ#1743096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743096" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-1010266", "url": "https://www.cve.org/CVERecord?id=CVE-2019-1010266" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" } ], "release_date": "2019-04-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "lodash: uncontrolled resource consumption in Data handler causing denial of service" }, { "cve": "CVE-2020-7608", "cwe": { "id": "CWE-267", "name": "Privilege Defined With Unsafe Actions" }, "discovery_date": "2020-05-11T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1840004" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in nodesjs-yargs-parser, where it can be tricked into adding or modifying properties of the Object.prototype using a \"__proto__\" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-yargs-parser: prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7608" }, { "category": "external", "summary": "RHBZ#1840004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1840004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7608", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7608" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" } ], "release_date": "2020-03-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-yargs-parser: prototype pollution vulnerability" }, { "cve": "CVE-2020-8203", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857412" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-lodash: prototype pollution in zipObjectDeep function", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8203" }, { "category": "external", "summary": "RHBZ#1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8203" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "category": "external", "summary": "https://hackerone.com/reports/712065", "url": "https://hackerone.com/reports/712065" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1523", "url": "https://www.npmjs.com/advisories/1523" } ], "release_date": "2020-04-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-lodash: prototype pollution in zipObjectDeep function" }, { "cve": "CVE-2020-15366", "cwe": { "id": "CWE-471", "name": "Modification of Assumed-Immutable Data (MAID)" }, "discovery_date": "2020-07-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857977" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "title": "Vulnerability summary" }, { "category": "other", "text": "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-ajv library to authenticated users only, therefore the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-15366" }, { "category": "external", "summary": "RHBZ#1857977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857977" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-15366", "url": "https://www.cve.org/CVERecord?id=CVE-2020-15366" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-AJV-584908", "url": "https://snyk.io/vuln/SNYK-JS-AJV-584908" } ], "release_date": "2020-07-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function" }, { "cve": "CVE-2020-26237", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2020-11-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1901662" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-highlight-js. Highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object\u0027s prototype during highlighting.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-highlight-js: prototype pollution via a crafted HTML code block", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat Virtualization, ovirt-engine-api-explorer uses a vulnerable version of highlight.js, however since release 4.4.3 ovirt-engine-api-explorer is obsoleted and no longer used.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-26237" }, { "category": "external", "summary": "RHBZ#1901662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901662" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-26237", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26237" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-26237", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26237" }, { "category": "external", "summary": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx", "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx" } ], "release_date": "2020-11-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-highlight-js: prototype pollution via a crafted HTML code block" }, { "cve": "CVE-2020-26291", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915257" } ], "notes": [ { "category": "description", "text": "A flaw was found in urijs. The hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.", "title": "Vulnerability description" }, { "category": "summary", "text": "urijs: Hostname spoofing via backslashes in URL", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-26291" }, { "category": "external", "summary": "RHBZ#1915257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915257" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-26291", "url": "https://www.cve.org/CVERecord?id=CVE-2020-26291" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-26291", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26291" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155", "url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/releases/tag/v1.19.4", "url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4" }, { "category": "external", "summary": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg", "url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg" }, { "category": "external", "summary": "https://www.npmjs.com/package/urijs", "url": "https://www.npmjs.com/package/urijs" } ], "release_date": "2020-12-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "urijs: Hostname spoofing via backslashes in URL" }, { "cve": "CVE-2020-35653", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915420" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Buffer over-read in PCX image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-35653" }, { "category": "external", "summary": "RHBZ#1915420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915420" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-35653", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35653" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security" } ], "release_date": "2021-01-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "python-pillow: Buffer over-read in PCX image reader" }, { "cve": "CVE-2020-35654", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2021-01-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1915424" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow", "title": "Vulnerability summary" }, { "category": "other", "text": "python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-35654" }, { "category": "external", "summary": "RHBZ#1915424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915424" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-35654", "url": "https://www.cve.org/CVERecord?id=CVE-2020-35654" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-35654", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35654" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security" } ], "release_date": "2021-01-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow" }, { "cve": "CVE-2021-23364", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1955619" } ], "notes": [ { "category": "description", "text": "Regular Expression Denial of Service (ReDoS) vulnerability was found in browserslist library. An attacker can use this vulnerability to parse a query which potentially can lead to service degradation.", "title": "Vulnerability description" }, { "category": "summary", "text": "browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)", "title": "Vulnerability summary" }, { "category": "other", "text": "While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. \nThis applies to the following products:\n - OpenShift Container Platform (OCP)\n - OpenShift ServiceMesh (OSSM)\n - Red Hat Advanced Cluster Management for Kubernetes (RHACM)\n\nIn Red Had Quay , whilst a vulnerable version of `browserslist` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23364" }, { "category": "external", "summary": "RHBZ#1955619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23364", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23364" } ], "release_date": "2021-04-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)" }, { "cve": "CVE-2021-23368", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1948763" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss`. When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take an ever increasing amount of time to process. An attacker can use this vulnerability to potentially craft a malicious a long CSS value to process resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-postcss: Regular expression denial of service during source map parsing", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.\n\nIn Red Hat Virtualization a vulnerable version of postcss is used in cockpit-ovirt, ovirt-web-ui and ovirt-engine-ui-extensions. However, it is only used during development and is used to process known CSS content. This flaw has been marked as \"wontfix\" and it may be addressed in future updates.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23368" }, { "category": "external", "summary": "RHBZ#1948763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948763" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23368", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23368" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23368", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23368" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-postcss: Regular expression denial of service during source map parsing" }, { "cve": "CVE-2021-23382", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1954150" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss` when using getAnnotationURL() or loadAnnotation() options in lib/previous-map.js. An attacker can use this vulnerability to potentially craft a malicious CSS to process resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js", "title": "Vulnerability summary" }, { "category": "other", "text": "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-23382" }, { "category": "external", "summary": "RHBZ#1954150", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954150" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-23382", "url": "https://www.cve.org/CVERecord?id=CVE-2021-23382" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23382", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23382" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640", "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640" } ], "release_date": "2021-04-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js" }, { "cve": "CVE-2021-25289", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934680" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The previous fix for CVE-2020-35654 was insufficient due to incorrect error checking in TiffDecode.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c", "title": "Vulnerability summary" }, { "category": "other", "text": "python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25289" }, { "category": "external", "summary": "RHBZ#1934680", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934680" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25289", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25289" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25289", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25289" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c" }, { "cve": "CVE-2021-25290", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934685" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. In TiffDecode.c, there is a negative-offset memcpy with an invalid size which could lead to a system crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Negative-offset memcpy in TIFF image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25290" }, { "category": "external", "summary": "RHBZ#1934685", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934685" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25290", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25290" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25290", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25290" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Negative-offset memcpy in TIFF image reader" }, { "cve": "CVE-2021-25291", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934692" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Invalid tile boundaries could lead to an OOB Read in TiffReadRGBATile in TiffDecode.c.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does not affect the versions of python-pillow as shipped with Red Hat Enterprise Linux 8 as it does not include the vulnerable code, which was introduced in a newer upstream version than what what shipped.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25291" }, { "category": "external", "summary": "RHBZ#1934692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934692" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25291", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25291" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25291", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25291" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c" }, { "cve": "CVE-2021-25292", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934699" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Regular expression DoS in PDF format parser", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25292" }, { "category": "external", "summary": "RHBZ#1934699", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934699" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25292", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25292" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25292", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25292" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Regular expression DoS in PDF format parser" }, { "cve": "CVE-2021-25293", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "discovery_date": "2021-03-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934705" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. There is an Out of Bounds Read in SGIRleDecode.c.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Out-of-bounds read in SGI RLE image reader", "title": "Vulnerability summary" }, { "category": "other", "text": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-25293" }, { "category": "external", "summary": "RHBZ#1934705", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934705" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-25293", "url": "https://www.cve.org/CVERecord?id=CVE-2021-25293" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-25293", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25293" } ], "release_date": "2021-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Out-of-bounds read in SGI RLE image reader" }, { "cve": "CVE-2021-27515", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934474" } ], "notes": [ { "category": "description", "text": "An input validation flaw exists in the node.js-url-parse, which results in the URL being incorrectly set to the document location protocol instead of the URL being passed as an argument. This flaw allows an attacker to bypass security checks on URLs. The highest threat from this vulnerability is to integrity. This is an incomplete fix for CVE-2020-8124.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27515" }, { "category": "external", "summary": "RHBZ#1934474", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934474" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27515", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27515" } ], "release_date": "2021-02-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise" }, { "cve": "CVE-2021-27516", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1934470" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-urijs where URI.js (urijs) mishandles certain uses of the backslash such as http:\\/ and interprets the URI as a relative path. The highest threat from this vulnerability is to confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay includes the urijs dependency in it\u0027s package.lock file but it\u0027s not used anywhere in the code.\n\nRed Hat Advanced Cluster Management for Kubernetes uses Quay as a service, but not code from Quay that exists in RHACM.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27516" }, { "category": "external", "summary": "RHBZ#1934470", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934470" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27516", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27516" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27516", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27516" } ], "release_date": "2021-02-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise" }, { "cve": "CVE-2021-27921", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935384" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in BLP image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27921" }, { "category": "external", "summary": "RHBZ#1935384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935384" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27921", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27921" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27921", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27921" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in BLP image reader" }, { "cve": "CVE-2021-27922", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935396" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in ICNS image reader", "title": "Vulnerability summary" }, { "category": "other", "text": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27922" }, { "category": "external", "summary": "RHBZ#1935396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935396" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27922", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27922" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27922", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27922" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in ICNS image reader" }, { "cve": "CVE-2021-27923", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-03-03T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1935401" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. Attackers can cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Excessive memory allocation in ICO image reader", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27923" }, { "category": "external", "summary": "RHBZ#1935401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27923", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27923" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923" } ], "release_date": "2021-03-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "Disable the invoice generation feature to mitigate this vulnerability in Red Hat Quay.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Excessive memory allocation in ICO image reader" }, { "cve": "CVE-2021-34552", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1982378" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the \"convert()\" or \"ImagingConvertTransparent()\" functions in Convert.c. The highest threat to this vulnerability is to system availability.\r\n\r\nIn Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-pillow: Buffer overflow in image convert function", "title": "Vulnerability summary" }, { "category": "other", "text": "Due to the compiler options used, the buffer overflow is detected and the impact is lowered to a crash only. Additionally, the \"mode\" parameter has to be attacker controlled, which is considered a rare case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "known_not_affected": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-34552" }, { "category": "external", "summary": "RHBZ#1982378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1982378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34552", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34552" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34552", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34552" }, { "category": "external", "summary": "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-10-19T12:09:35+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "category": "workaround", "details": "To mitigate this flaw on Red Hat Quay, keep the invoice generation feature disabled, as it is by default.\n\nRed Hat Satellite 6.9 customers can apply following hotfix to eliminate the vulnerability warnings.\n* Download python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm from https://bugzilla.redhat.com/attachment.cgi?id=1819471\n* Stop services:\n# satellite-maintain service stop\n* Upgrade python2-daemon and remove affected package\n# rpm -Uvh python2-daemon-2.1.2-7.1.HFRHBZ1998199.el7sat.noarch.rpm\n# yum remove python-pillow\n* Restart services:\n# satellite-maintain service start\n\nSatellite 6.10 future release is also fixing this.", "product_ids": [ "8Base-Quay-3:quay/clair-rhel8@sha256:2cb015d00c209fa894958afccbb5ab03c0cc08d74789412343d40564c790b96d_amd64", "8Base-Quay-3:quay/quay-bridge-operator-bundle@sha256:89ff146ee1ca5fd079bfc1d1dc2f84d3215edbeb7b540f7dde390d1508133229_amd64", "8Base-Quay-3:quay/quay-bridge-operator-rhel8@sha256:8ed9531542037756f556ab478b54b216e4ae631d72477dba6784eb75657d3646_amd64", "8Base-Quay-3:quay/quay-builder-qemu-rhcos-rhel8@sha256:03862af902623b5c0f8ab0ce4bac896624fb0325ff5089e6cc0426f125891e6e_amd64", "8Base-Quay-3:quay/quay-builder-rhel8@sha256:0125935ef8a605c55c0a68233177f7ee84b9a0bc3331f496945d72c87aa84cb8_amd64", "8Base-Quay-3:quay/quay-container-security-operator-bundle@sha256:bbb7a3a4cfd9c98df1037c58d3e68e1cd8e554c0af336b08a04a914285c68edb_amd64", "8Base-Quay-3:quay/quay-container-security-operator-rhel8@sha256:860794203beca60e5961b0e69aae97c7e6d6f7e3867b476d1cc458523ec0804b_amd64", "8Base-Quay-3:quay/quay-operator-bundle@sha256:7eeea8b3c3f9ddade8e989a5227fe2e01b7dff0546350017117a10155f16fbe1_amd64", "8Base-Quay-3:quay/quay-operator-rhel8@sha256:0b9639c1895923a625980cd57316065b0e192e5ae6a6a7ca5e7d31289d42f7a0_amd64", "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-Quay-3:quay/quay-rhel8@sha256:d8dd1cd5ccc8231a1228371935700f61f71ffcb9bc3134fe7f37c822a8ec41d3_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-pillow: Buffer overflow in image convert function" } ] }
ghsa-3cqr-58rm-57f8
Vulnerability from github
Published
2022-02-10 20:38
Modified
2021-04-22 23:38
Severity ?
Summary
Arbitrary Code Execution in Handlebars
Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "(handlebars).helpers.lookup" ] }, "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.0.8" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(handlebars).helpers.lookup" ] }, "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "events": [ { "introduced": "4.0.0" }, { "fixed": "4.5.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2019-20920" ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2021-04-22T23:38:32Z", "nvd_published_at": "2020-09-30T18:15:00Z", "severity": "HIGH" }, "details": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS).", "id": "GHSA-3cqr-58rm-57f8", "modified": "2021-04-22T23:38:32Z", "published": "2022-02-10T20:38:19Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1316" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1324" }, { "type": "WEB", "url": "https://www.npmjs.com/package/handlebars" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Arbitrary Code Execution in Handlebars" }
gsd-2019-20920
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Aliases
Aliases
{ "GSD": { "alias": "CVE-2019-20920", "description": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS).", "id": "GSD-2019-20920", "references": [ "https://access.redhat.com/errata/RHSA-2021:3917", "https://access.redhat.com/errata/RHSA-2021:2500", "https://access.redhat.com/errata/RHSA-2020:5179" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2019-20920" ], "details": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS).", "id": "GSD-2019-20920", "modified": "2023-12-13T01:23:42.785891Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20920", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.npmjs.com/advisories/1316", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1316" }, { "name": "https://www.npmjs.com/advisories/1324", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1324" }, { "name": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c3.0.8||\u003e=4.0.0 \u003c4.5.3", "affected_versions": "All versions before 3.0.8, all versions starting from 4.0.0 before 4.5.3", "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "cwe_ids": [ "CWE-1035", "CWE-79", "CWE-937", "CWE-94" ], "date": "2022-02-10", "description": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS).", "fixed_versions": [ "3.0.8", "4.5.3" ], "identifier": "CVE-2019-20920", "identifiers": [ "GHSA-3cqr-58rm-57f8", "CVE-2019-20920" ], "not_impacted": "All versions starting from 3.0.8 before 4.0.0, all versions starting from 4.5.3", "package_slug": "npm/handlebars", "pubdate": "2022-02-10", "solution": "Upgrade to versions 3.0.8, 4.5.3 or above.", "title": "Improper Control of Generation of Code (\u0027Code Injection\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e", "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", "https://www.npmjs.com/advisories/1316", "https://www.npmjs.com/advisories/1324", "https://www.npmjs.com/package/handlebars", "https://github.com/advisories/GHSA-3cqr-58rm-57f8" ], "uuid": "2a116fa0-3b19-410b-a8d6-7a896f7665ba" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "3.0.8", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "4.5.3", "versionStartIncluding": "4.0.0", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20920" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim\u0027s browser (effectively serving as XSS)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-94" } ] } ] }, "references": { "reference_data": [ { "name": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" }, { "name": "https://www.npmjs.com/advisories/1324", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://www.npmjs.com/advisories/1324" }, { "name": "https://www.npmjs.com/advisories/1316", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://www.npmjs.com/advisories/1316" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 5.3 } }, "lastModifiedDate": "2020-10-15T17:35Z", "publishedDate": "2020-09-30T18:15Z" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.