Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2021-37701
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T01:23:01.526Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.npmjs.com/package/tar" }, { "tags": [ "x_transferred" ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "DSA-5008", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-5008" }, { "tags": [ "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "name": "[debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "node-tar", "vendor": "npm", "versions": [ { "status": "affected", "version": "\u003c 4.4.16" }, { "status": "affected", "version": "\u003e= 5.0.0, \u003c 5.0.8" }, { "status": "affected", "version": "\u003e= 6.0.0, \u003c 6.1.7" } ] } ], "descriptions": [ { "lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-12T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://www.npmjs.com/package/tar" }, { "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "DSA-5008", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-5008" }, { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "name": "[debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" } ], "source": { "advisory": "GHSA-9r2w-394v-53qc", "discovery": "UNKNOWN" }, "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37701", "datePublished": "2021-08-31T00:00:00", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.526Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-37701\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-08-31T17:15:07.963\",\"lastModified\":\"2024-11-21T06:15:44.403\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The npm package \\\"tar\\\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\\\` and `/` characters as path separators, however `\\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.\"},{\"lang\":\"es\",\"value\":\"El paquete npm \\\"tar\\\" (tambi\u00e9n se conoce como node-tar) versiones anteriores a 4.4.16, 5.0.8 y 6.1.7, presenta una vulnerabilidad de creaci\u00f3n y escritura excesiva de archivos arbitrarios y de ejecuci\u00f3n de c\u00f3digo arbitrario. node-tar pretende garantizar que no se extraiga ning\u00fan archivo cuya ubicaci\u00f3n ser\u00eda modificada por un enlace simb\u00f3lico. Esto es conseguido, en parte, asegurando que los directorios extra\u00eddos no sean enlaces simb\u00f3licos. Adem\u00e1s, para evitar llamadas innecesarias a las estad\u00edsticas para determinar si una ruta dada es un directorio, las rutas son almacenadas en cach\u00e9 cuando los directorios son creados. Esta l\u00f3gica era insuficiente cuando se extra\u00edan archivos tar que conten\u00edan tanto un directorio como un enlace simb\u00f3lico con el mismo nombre que el directorio, donde los nombres de los enlaces simb\u00f3licos y de los directorios en la entrada del archivo usaban barras invertidas como separador de rutas en los sistemas posix. La l\u00f3gica de comprobaci\u00f3n de la cach\u00e9 usaba tanto los caracteres \\\"\\\\\\\" como \\\"/\\\" como separadores de ruta, sin embargo \\\"\\\\\\\" es un car\u00e1cter de nombre de archivo v\u00e1lido en los sistemas posix. Al crear primero un directorio, y luego sustituyendo ese directorio por un enlace simb\u00f3lico, era posible omitir las comprobaciones de enlaces simb\u00f3licos de node-tar en los directorios, permitiendo esencialmente que un archivo tar no confiable hiciera un enlace simb\u00f3lico en una ubicaci\u00f3n arbitraria y que posteriormente extrajera archivos arbitrarios en esa ubicaci\u00f3n, permitiendo as\u00ed la creaci\u00f3n y escritura excesiva arbitraria de archivos. Adem\u00e1s, una confusi\u00f3n similar podr\u00eda surgir en los sistemas de archivos que no distinguen entre may\u00fasculas y min\u00fasculas. Si un archivo tar contiene un directorio en \\\"FOO\\\", seguido de un enlace simb\u00f3lico llamado \\\"foo\\\", entonces en los sistemas de archivos no sensibles a las may\u00fasculas y min\u00fasculas, la creaci\u00f3n del enlace simb\u00f3lico eliminar\u00eda el directorio del sistema de archivos, pero no de la cach\u00e9 interna de directorios, ya que no se tratar\u00eda como un golpe de cach\u00e9. Una entrada de archivo posterior dentro del directorio \\\"FOO\\\" se colocar\u00eda entonces en el objetivo del enlace simb\u00f3lico, pensando que el directorio ya hab\u00eda sido creado. Estos problemas se han solucionado en las versiones 4.4.16, 5.0.8 y 6.1.7. La rama v3 de node-tar ha quedado obsoleta y no ha recibido parches para estos problemas. Si todav\u00eda est\u00e1 usando una versi\u00f3n v3, le recomendamos que actualice a una versi\u00f3n m\u00e1s reciente de node-tar. Si esto no es posible, hay una soluci\u00f3n disponible en la referencia GHSA-9r2w-394v-53qc\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-59\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.4.16\",\"matchCriteriaId\":\"E01C9064-AACB-439F-869A-476D7FC6E8BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.0.8\",\"matchCriteriaId\":\"DC1720C1-75AF-42EA-8E0E-1D4343ACE253\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.1.7\",\"matchCriteriaId\":\"A10FB87B-FD4E-482D-AA64-8DC28DD86763\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"53B2BB06-A2F7-4603-89C3-C8500E55483A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"01E88C86-8C04-4A4A-BF45-9082AA783056\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.1.1\",\"matchCriteriaId\":\"B0F46497-4AB0-49A7-9453-CC26837BF253\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-5008\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/tar\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-5008\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/tar\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}" } }
wid-sec-w-2023-0809
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0809 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0809.json" }, { "category": "self", "summary": "WID-SEC-2023-0809 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0809" }, { "category": "external", "summary": "IBM Security Bulletin: 6967283 vom 2023-03-30", "url": "https://www.ibm.com/support/pages/node/6967283" }, { "category": "external", "summary": "IBM Security Bulletin: 6967333 vom 2023-03-30", "url": "https://www.ibm.com/support/pages/node/6967333" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin 7108657 vom 2024-01-17", "url": "https://www.ibm.com/support/pages/node/7108657" }, { "category": "external", "summary": "Fedora Security Advisory FEDORA-2024-5ECC250449 vom 2024-02-19", "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-5ecc250449" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-02-19T23:00:00.000+00:00", "generator": { "date": "2024-02-20T10:06:43.480+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0809", "initial_release_date": "2023-03-30T22:00:00.000+00:00", "revision_history": [ { "date": "2023-03-30T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-16T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-02-19T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Fedora aufgenommen" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Fedora Linux", "product": { "name": "Fedora Linux", "product_id": "74185", "product_identification_helper": { "cpe": "cpe:/o:fedoraproject:fedora:-" } } } ], "category": "vendor", "name": "Fedora" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version_range", "name": "\u003c User Behavior Analytics 4.1.11", "product": { "name": "IBM QRadar SIEM \u003c User Behavior Analytics 4.1.11", "product_id": "T027026", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:user_behavior_analytics_4.1.11" } } }, { "category": "product_version_range", "name": "\u003c 7.4.3 FP9", "product": { "name": "IBM QRadar SIEM \u003c 7.4.3 FP9", "product_id": "T027027", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.4.3_fp9" } } }, { "category": "product_version_range", "name": "\u003c 7.5.0 UP5", "product": { "name": "IBM QRadar SIEM \u003c 7.5.0 UP5", "product_id": "T027028", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up5" } } } ], "category": "product_name", "name": "QRadar SIEM" } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2023-22809" }, { "cve": "CVE-2022-4883", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-4883" }, { "cve": "CVE-2022-46364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-46364" }, { "cve": "CVE-2022-46363", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-46363" }, { "cve": "CVE-2022-45143", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-45143" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-4254", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-4254" }, { "cve": "CVE-2022-42252", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-42252" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41946", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41946" }, { "cve": "CVE-2022-41704", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41704" }, { "cve": "CVE-2022-40156", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40156" }, { "cve": "CVE-2022-40155", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40155" }, { "cve": "CVE-2022-40154", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40154" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-37603", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37603" }, { "cve": "CVE-2022-37601", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37601" }, { "cve": "CVE-2022-37599", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37599" }, { "cve": "CVE-2022-37598", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37598" }, { "cve": "CVE-2022-3676", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-3676" }, { "cve": "CVE-2022-36364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-36364" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-34917", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-34917" }, { "cve": "CVE-2022-31197", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-31197" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-28733", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-28733" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-25927", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25927" }, { "cve": "CVE-2022-25901", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25901" }, { "cve": "CVE-2022-25758", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25758" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-24999", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24999" }, { "cve": "CVE-2022-24839", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24839" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24785", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24785" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-23437" }, { "cve": "CVE-2022-22971", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-22971" }, { "cve": "CVE-2022-22970", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-22970" }, { "cve": "CVE-2022-21724", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21724" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21619" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-42740", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-42740" }, { "cve": "CVE-2021-42581", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-42581" }, { "cve": "CVE-2021-39227", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-39227" }, { "cve": "CVE-2021-3918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3918" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3807" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-3765", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3765" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-29060", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-29060" }, { "cve": "CVE-2021-26401", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-26401" }, { "cve": "CVE-2021-25220", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-25220" }, { "cve": "CVE-2021-23450", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23450" }, { "cve": "CVE-2021-23382", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23382" }, { "cve": "CVE-2021-23368", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23368" }, { "cve": "CVE-2021-23364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23364" }, { "cve": "CVE-2021-23362", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23362" }, { "cve": "CVE-2021-23343", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23343" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21290" }, { "cve": "CVE-2020-7764", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-7764" }, { "cve": "CVE-2020-5259", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-5259" }, { "cve": "CVE-2020-24025", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-24025" }, { "cve": "CVE-2020-15366", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-15366" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-13936" }, { "cve": "CVE-2019-6286", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6286" }, { "cve": "CVE-2019-6284", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6284" }, { "cve": "CVE-2019-6283", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6283" }, { "cve": "CVE-2019-10785", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-10785" }, { "cve": "CVE-2018-8036", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-8036" }, { "cve": "CVE-2018-20821", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-20821" }, { "cve": "CVE-2018-20190", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-20190" }, { "cve": "CVE-2018-19839", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19839" }, { "cve": "CVE-2018-19838", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19838" }, { "cve": "CVE-2018-19827", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19827" }, { "cve": "CVE-2018-19797", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19797" }, { "cve": "CVE-2018-15494", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-15494" }, { "cve": "CVE-2018-11698", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-11698" }, { "cve": "CVE-2018-11694", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-11694" } ] }
WID-SEC-W-2023-0856
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0856 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0856.json" }, { "category": "self", "summary": "WID-SEC-2023-0856 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0856" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin vom 2022-05-31", "url": "https://www.ibm.com/support/pages/node/6590981" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-04-04T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:15.406+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0856", "initial_release_date": "2022-05-31T22:00:00.000+00:00", "revision_history": [ { "date": "2022-05-31T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM QRadar SIEM \u003c 3.0.1", "product": { "name": "IBM QRadar SIEM \u003c 3.0.1", "product_id": "T023376", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:3.0.1" } } } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-11655", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-11655" }, { "cve": "CVE-2020-11656", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-11656" }, { "cve": "CVE-2020-13434", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13434" }, { "cve": "CVE-2020-13435", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13435" }, { "cve": "CVE-2020-13630", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13630" }, { "cve": "CVE-2020-13631", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13631" }, { "cve": "CVE-2020-13632", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13632" }, { "cve": "CVE-2020-15168", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-15168" }, { "cve": "CVE-2020-15358", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-15358" }, { "cve": "CVE-2020-28469", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-28469" }, { "cve": "CVE-2020-7788", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-7788" }, { "cve": "CVE-2020-9327", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-9327" }, { "cve": "CVE-2021-22918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22918" }, { "cve": "CVE-2021-22930", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22930" }, { "cve": "CVE-2021-22931", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22931" }, { "cve": "CVE-2021-22939", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22939" }, { "cve": "CVE-2021-22940", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22940" }, { "cve": "CVE-2021-23343", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-23343" }, { "cve": "CVE-2021-23362", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-23362" }, { "cve": "CVE-2021-27290", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-27290" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-33502", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-33502" }, { "cve": "CVE-2021-3672", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3672" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3807" }, { "cve": "CVE-2021-3918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3918" } ] }
WID-SEC-W-2023-0809
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0809 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0809.json" }, { "category": "self", "summary": "WID-SEC-2023-0809 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0809" }, { "category": "external", "summary": "IBM Security Bulletin: 6967283 vom 2023-03-30", "url": "https://www.ibm.com/support/pages/node/6967283" }, { "category": "external", "summary": "IBM Security Bulletin: 6967333 vom 2023-03-30", "url": "https://www.ibm.com/support/pages/node/6967333" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin 7108657 vom 2024-01-17", "url": "https://www.ibm.com/support/pages/node/7108657" }, { "category": "external", "summary": "Fedora Security Advisory FEDORA-2024-5ECC250449 vom 2024-02-19", "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-5ecc250449" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-02-19T23:00:00.000+00:00", "generator": { "date": "2024-02-20T10:06:43.480+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0809", "initial_release_date": "2023-03-30T22:00:00.000+00:00", "revision_history": [ { "date": "2023-03-30T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-16T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-02-19T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Fedora aufgenommen" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Fedora Linux", "product": { "name": "Fedora Linux", "product_id": "74185", "product_identification_helper": { "cpe": "cpe:/o:fedoraproject:fedora:-" } } } ], "category": "vendor", "name": "Fedora" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version_range", "name": "\u003c User Behavior Analytics 4.1.11", "product": { "name": "IBM QRadar SIEM \u003c User Behavior Analytics 4.1.11", "product_id": "T027026", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:user_behavior_analytics_4.1.11" } } }, { "category": "product_version_range", "name": "\u003c 7.4.3 FP9", "product": { "name": "IBM QRadar SIEM \u003c 7.4.3 FP9", "product_id": "T027027", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.4.3_fp9" } } }, { "category": "product_version_range", "name": "\u003c 7.5.0 UP5", "product": { "name": "IBM QRadar SIEM \u003c 7.5.0 UP5", "product_id": "T027028", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up5" } } } ], "category": "product_name", "name": "QRadar SIEM" } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2023-22809" }, { "cve": "CVE-2022-4883", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-4883" }, { "cve": "CVE-2022-46364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-46364" }, { "cve": "CVE-2022-46363", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-46363" }, { "cve": "CVE-2022-45143", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-45143" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-4254", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-4254" }, { "cve": "CVE-2022-42252", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-42252" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41946", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41946" }, { "cve": "CVE-2022-41704", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-41704" }, { "cve": "CVE-2022-40156", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40156" }, { "cve": "CVE-2022-40155", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40155" }, { "cve": "CVE-2022-40154", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40154" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-37603", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37603" }, { "cve": "CVE-2022-37601", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37601" }, { "cve": "CVE-2022-37599", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37599" }, { "cve": "CVE-2022-37598", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-37598" }, { "cve": "CVE-2022-3676", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-3676" }, { "cve": "CVE-2022-36364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-36364" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-34917", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-34917" }, { "cve": "CVE-2022-31197", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-31197" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-28733", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-28733" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-25927", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25927" }, { "cve": "CVE-2022-25901", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25901" }, { "cve": "CVE-2022-25758", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25758" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-24999", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24999" }, { "cve": "CVE-2022-24839", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24839" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24785", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-24785" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-23437" }, { "cve": "CVE-2022-22971", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-22971" }, { "cve": "CVE-2022-22970", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-22970" }, { "cve": "CVE-2022-21724", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21724" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2022-21619" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-42740", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-42740" }, { "cve": "CVE-2021-42581", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-42581" }, { "cve": "CVE-2021-39227", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-39227" }, { "cve": "CVE-2021-3918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3918" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3807" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-3765", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-3765" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-29060", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-29060" }, { "cve": "CVE-2021-26401", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-26401" }, { "cve": "CVE-2021-25220", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-25220" }, { "cve": "CVE-2021-23450", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23450" }, { "cve": "CVE-2021-23382", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23382" }, { "cve": "CVE-2021-23368", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23368" }, { "cve": "CVE-2021-23364", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23364" }, { "cve": "CVE-2021-23362", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23362" }, { "cve": "CVE-2021-23343", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-23343" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2021-21290" }, { "cve": "CVE-2020-7764", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-7764" }, { "cve": "CVE-2020-5259", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-5259" }, { "cve": "CVE-2020-24025", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-24025" }, { "cve": "CVE-2020-15366", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-15366" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2020-13936" }, { "cve": "CVE-2019-6286", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6286" }, { "cve": "CVE-2019-6284", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6284" }, { "cve": "CVE-2019-6283", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-6283" }, { "cve": "CVE-2019-10785", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2019-10785" }, { "cve": "CVE-2018-8036", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-8036" }, { "cve": "CVE-2018-20821", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-20821" }, { "cve": "CVE-2018-20190", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-20190" }, { "cve": "CVE-2018-19839", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19839" }, { "cve": "CVE-2018-19838", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19838" }, { "cve": "CVE-2018-19827", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19827" }, { "cve": "CVE-2018-19797", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-19797" }, { "cve": "CVE-2018-15494", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-15494" }, { "cve": "CVE-2018-11698", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-11698" }, { "cve": "CVE-2018-11694", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Software-Komponenten von QRadar. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Informationen falsch darzustellen, einen Denial of Service Zustand herbeizuf\u00fchren, Sicherheitsvorkehrungen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "T022954", "74185" ] }, "release_date": "2023-03-30T22:00:00Z", "title": "CVE-2018-11694" } ] }
wid-sec-w-2022-0092
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um Dateien zu manipulieren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0092 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0092.json" }, { "category": "self", "summary": "WID-SEC-2022-0092 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0092" }, { "category": "external", "summary": "NodeJs Security Release vom 2021-08-31", "url": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3638 vom 2021-09-22", "url": "https://access.redhat.com/errata/RHSA-2021:3638" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3639 vom 2021-09-22", "url": "https://access.redhat.com/errata/RHSA-2021:3639" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3623 vom 2021-09-21", "url": "https://access.redhat.com/errata/RHSA-2021:3623" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-3623 vom 2021-09-22", "url": "http://linux.oracle.com/errata/ELSA-2021-3623.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3666 vom 2021-09-28", "url": "https://access.redhat.com/errata/RHSA-2021:3666" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-3666 vom 2021-09-28", "url": "http://linux.oracle.com/errata/ELSA-2021-3666.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:4618 vom 2021-11-11", "url": "https://access.redhat.com/errata/RHSA-2021:4618" }, { "category": "external", "summary": "Debian Security Advisory DSA-5008 vom 2021-11-12", "url": "https://www.debian.org/security/2021/dsa-5008" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3886-1 vom 2021-12-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009816.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3940-1 vom 2021-12-06", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009853.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3964-1 vom 2021-12-07", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009869.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5086 vom 2021-12-13", "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0041 vom 2022-01-06", "url": "https://access.redhat.com/errata/RHSA-2022:0041" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0101-1 vom 2022-01-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010017.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0246 vom 2022-01-25", "url": "https://access.redhat.com/errata/RHSA-2022:0246" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:4914 vom 2022-06-06", "url": "https://access.redhat.com/errata/RHSA-2022:4914" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0350 vom 2022-02-02", "url": "https://access.redhat.com/errata/RHSA-2022:0350" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0350 vom 2022-02-02", "url": "http://linux.oracle.com/errata/ELSA-2022-0350.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:1717-1 vom 2022-05-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-May/011058.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0531-1 vom 2022-02-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010279.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0563-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010304.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0569-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010307.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0570-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010306.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0657-1 vom 2022-03-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010326.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0704-1 vom 2022-03-03", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010344.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0715-1 vom 2022-03-04", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010355.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-3237 vom 2022-12-12", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202405-29 vom 2024-05-08", "url": "https://security.gentoo.org/glsa/202405-29" } ], "source_lang": "en-US", "title": "Node.js: Mehrere Schwachstellen erm\u00f6glichen Manipulation von Dateien", "tracking": { "current_release_date": "2024-05-09T22:00:00.000+00:00", "generator": { "date": "2024-05-10T09:04:20.473+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-0092", "initial_release_date": "2021-08-31T22:00:00.000+00:00", "revision_history": [ { "date": "2021-08-31T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-09-21T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-09-22T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2021-09-27T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2021-11-11T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-11-14T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2021-12-02T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-06T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-07T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-13T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-06T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-18T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-01T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-02T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-02-21T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-02-24T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-02T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-03T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-06T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-06-06T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-12-12T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2024-05-09T22:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Gentoo aufgenommen" } ], "status": "final", "version": "24" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003cv12.22.6 (LTS)", "product": { "name": "Open Source Node.js \u003cv12.22.6 (LTS)", "product_id": "T020280", "product_identification_helper": { "cpe": "cpe:/a:nodejs:nodejs:v" } } }, { "category": "product_version_range", "name": "\u003cv14.17.6 (LTS)", "product": { "name": "Open Source Node.js \u003cv14.17.6 (LTS)", "product_id": "T020281", "product_identification_helper": { "cpe": "cpe:/a:nodejs:nodejs:v" } } } ], "category": "product_name", "name": "Node.js" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-39134", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-39134" }, { "cve": "CVE-2021-39135", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-39135" } ] }
WID-SEC-W-2023-0857
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0857 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0857.json" }, { "category": "self", "summary": "WID-SEC-2023-0857 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0857" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin: 6589583 vom 2022-05-24", "url": "https://www.ibm.com/support/pages/node/6589583" }, { "category": "external", "summary": "IBM Security Bulletin: 6589583 vom 2022-05-24", "url": "https://www.ibm.com/support/pages/node/6589581" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-04-04T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:16.228+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0857", "initial_release_date": "2022-05-24T22:00:00.000+00:00", "revision_history": [ { "date": "2022-05-24T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM QRadar SIEM", "product": { "name": "IBM QRadar SIEM", "product_id": "T021415", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:-" } } } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-15168", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-15168" }, { "cve": "CVE-2020-24025", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-24025" }, { "cve": "CVE-2020-28469", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28469" }, { "cve": "CVE-2020-28498", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28498" }, { "cve": "CVE-2020-28500", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28500" }, { "cve": "CVE-2020-7793", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-7793" }, { "cve": "CVE-2021-23337", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-23337" }, { "cve": "CVE-2021-27292", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-27292" }, { "cve": "CVE-2021-29060", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-29060" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-33502", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-33502" }, { "cve": "CVE-2021-33623", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-33623" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-3807" } ] }
wid-sec-w-2023-0857
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0857 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0857.json" }, { "category": "self", "summary": "WID-SEC-2023-0857 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0857" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin: 6589583 vom 2022-05-24", "url": "https://www.ibm.com/support/pages/node/6589583" }, { "category": "external", "summary": "IBM Security Bulletin: 6589583 vom 2022-05-24", "url": "https://www.ibm.com/support/pages/node/6589581" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-04-04T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:16.228+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0857", "initial_release_date": "2022-05-24T22:00:00.000+00:00", "revision_history": [ { "date": "2022-05-24T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM QRadar SIEM", "product": { "name": "IBM QRadar SIEM", "product_id": "T021415", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:-" } } } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-15168", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-15168" }, { "cve": "CVE-2020-24025", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-24025" }, { "cve": "CVE-2020-28469", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28469" }, { "cve": "CVE-2020-28498", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28498" }, { "cve": "CVE-2020-28500", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-28500" }, { "cve": "CVE-2020-7793", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2020-7793" }, { "cve": "CVE-2021-23337", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-23337" }, { "cve": "CVE-2021-27292", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-27292" }, { "cve": "CVE-2021-29060", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-29060" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-33502", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-33502" }, { "cve": "CVE-2021-33623", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-33623" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Komponenten \"Node.js\", \"node-sass\" sowie \"UAParser.js\". Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien manipulieren oder Sicherheitsvorkehrungen zu umgehen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T021415" ] }, "release_date": "2022-05-24T22:00:00Z", "title": "CVE-2021-3807" } ] }
wid-sec-w-2023-0856
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0856 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0856.json" }, { "category": "self", "summary": "WID-SEC-2023-0856 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0856" }, { "category": "external", "summary": "IBM Security Bulletin 6980799 vom 2023-04-04", "url": "https://www.ibm.com/support/pages/node/6980799" }, { "category": "external", "summary": "IBM Security Bulletin vom 2022-05-31", "url": "https://www.ibm.com/support/pages/node/6590981" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-04-04T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:22:15.406+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0856", "initial_release_date": "2022-05-31T22:00:00.000+00:00", "revision_history": [ { "date": "2022-05-31T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-04-04T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM QRadar SIEM \u003c 3.0.1", "product": { "name": "IBM QRadar SIEM \u003c 3.0.1", "product_id": "T023376", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:3.0.1" } } } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-11655", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-11655" }, { "cve": "CVE-2020-11656", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-11656" }, { "cve": "CVE-2020-13434", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13434" }, { "cve": "CVE-2020-13435", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13435" }, { "cve": "CVE-2020-13630", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13630" }, { "cve": "CVE-2020-13631", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13631" }, { "cve": "CVE-2020-13632", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-13632" }, { "cve": "CVE-2020-15168", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-15168" }, { "cve": "CVE-2020-15358", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-15358" }, { "cve": "CVE-2020-28469", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-28469" }, { "cve": "CVE-2020-7788", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-7788" }, { "cve": "CVE-2020-9327", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2020-9327" }, { "cve": "CVE-2021-22918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22918" }, { "cve": "CVE-2021-22930", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22930" }, { "cve": "CVE-2021-22931", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22931" }, { "cve": "CVE-2021-22939", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22939" }, { "cve": "CVE-2021-22940", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-22940" }, { "cve": "CVE-2021-23343", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-23343" }, { "cve": "CVE-2021-23362", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-23362" }, { "cve": "CVE-2021-27290", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-27290" }, { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-33502", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-33502" }, { "cve": "CVE-2021-3672", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3672" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-3807", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3807" }, { "cve": "CVE-2021-3918", "notes": [ { "category": "description", "text": "In IBM QRadar SIEM existieren mehrere Schwachstellen im Zusammenhang mit bekannten Sicherheitsl\u00fccken in den Komponenten Node.js und SQLite. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden." } ], "release_date": "2022-05-31T22:00:00Z", "title": "CVE-2021-3918" } ] }
WID-SEC-W-2022-0092
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um Dateien zu manipulieren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0092 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0092.json" }, { "category": "self", "summary": "WID-SEC-2022-0092 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0092" }, { "category": "external", "summary": "NodeJs Security Release vom 2021-08-31", "url": "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3638 vom 2021-09-22", "url": "https://access.redhat.com/errata/RHSA-2021:3638" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3639 vom 2021-09-22", "url": "https://access.redhat.com/errata/RHSA-2021:3639" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3623 vom 2021-09-21", "url": "https://access.redhat.com/errata/RHSA-2021:3623" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-3623 vom 2021-09-22", "url": "http://linux.oracle.com/errata/ELSA-2021-3623.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:3666 vom 2021-09-28", "url": "https://access.redhat.com/errata/RHSA-2021:3666" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-3666 vom 2021-09-28", "url": "http://linux.oracle.com/errata/ELSA-2021-3666.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:4618 vom 2021-11-11", "url": "https://access.redhat.com/errata/RHSA-2021:4618" }, { "category": "external", "summary": "Debian Security Advisory DSA-5008 vom 2021-11-12", "url": "https://www.debian.org/security/2021/dsa-5008" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3886-1 vom 2021-12-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009816.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3940-1 vom 2021-12-06", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009853.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:3964-1 vom 2021-12-07", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009869.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5086 vom 2021-12-13", "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0041 vom 2022-01-06", "url": "https://access.redhat.com/errata/RHSA-2022:0041" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0101-1 vom 2022-01-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010017.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0246 vom 2022-01-25", "url": "https://access.redhat.com/errata/RHSA-2022:0246" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:4914 vom 2022-06-06", "url": "https://access.redhat.com/errata/RHSA-2022:4914" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0350 vom 2022-02-02", "url": "https://access.redhat.com/errata/RHSA-2022:0350" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0350 vom 2022-02-02", "url": "http://linux.oracle.com/errata/ELSA-2022-0350.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:1717-1 vom 2022-05-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-May/011058.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0531-1 vom 2022-02-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010279.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0563-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010304.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0569-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010307.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0570-1 vom 2022-02-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010306.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0657-1 vom 2022-03-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010326.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0704-1 vom 2022-03-03", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010344.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0715-1 vom 2022-03-04", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010355.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-3237 vom 2022-12-12", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202405-29 vom 2024-05-08", "url": "https://security.gentoo.org/glsa/202405-29" } ], "source_lang": "en-US", "title": "Node.js: Mehrere Schwachstellen erm\u00f6glichen Manipulation von Dateien", "tracking": { "current_release_date": "2024-05-09T22:00:00.000+00:00", "generator": { "date": "2024-05-10T09:04:20.473+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-0092", "initial_release_date": "2021-08-31T22:00:00.000+00:00", "revision_history": [ { "date": "2021-08-31T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-09-21T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-09-22T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2021-09-27T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2021-11-11T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2021-11-14T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2021-12-02T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-06T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-07T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-12-13T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-06T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-18T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-01T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-02T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-02-21T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-02-24T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-02T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-03T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-03-06T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-06-06T22:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-12-12T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2024-05-09T22:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Gentoo aufgenommen" } ], "status": "final", "version": "24" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003cv12.22.6 (LTS)", "product": { "name": "Open Source Node.js \u003cv12.22.6 (LTS)", "product_id": "T020280", "product_identification_helper": { "cpe": "cpe:/a:nodejs:nodejs:v" } } }, { "category": "product_version_range", "name": "\u003cv14.17.6 (LTS)", "product": { "name": "Open Source Node.js \u003cv14.17.6 (LTS)", "product_id": "T020281", "product_identification_helper": { "cpe": "cpe:/a:nodejs:nodejs:v" } } } ], "category": "product_name", "name": "Node.js" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-32803", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-32804" }, { "cve": "CVE-2021-37701", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-37713" }, { "cve": "CVE-2021-39134", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-39134" }, { "cve": "CVE-2021-39135", "notes": [ { "category": "description", "text": "In Node.js existieren mehrere Schwachstellen. Die Schwachstellen bestehen in den Modulen \"tar\" und \"@npmcli/arborist\" und aufgrund von Symlink-Fehlern. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "T012167", "T004914" ] }, "release_date": "2021-08-31T22:00:00Z", "title": "CVE-2021-39135" } ] }
rhsa-2022_0246
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027608)\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)\n\n* normalize-url: ReDoS for data URLs (CVE-2021-33502)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)\n\n* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)\n\n* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0246", "url": "https://access.redhat.com/errata/RHSA-2022:0246" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1907444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907444" }, { "category": "external", "summary": "1945459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945459" }, { "category": "external", "summary": "1964461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964461" }, { "category": "external", "summary": "1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0246.json" } ], "title": "Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:54:19+00:00", "generator": { "date": "2024-12-17T22:54:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:0246", "initial_release_date": "2022-01-25T09:28:51+00:00", "revision_history": [ { "date": "2022-01-25T09:28:51+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-25T09:28:51+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:54:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:14:8040020211213111158:522a0ee4", "product": { "name": "nodejs:14:8040020211213111158:522a0ee4", "product_id": "nodejs:14:8040020211213111158:522a0ee4", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@14:8040020211213111158:522a0ee4" } } }, { "category": "product_version", "name": "nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "product": { "name": "nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "product_id": "nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "product": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "product_id": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.15-1.module%2Bel8.4.0%2B13503%2Bfc29810b?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=aarch64\u0026epoch=1" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "product": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "product_id": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "product": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "product_id": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.15-1.module%2Bel8.4.0%2B13503%2Bfc29810b?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=s390x\u0026epoch=1" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.4.0%2B13643%2B6c0ebf22?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, "product_reference": "nodejs:14:8040020211213111158:522a0ee4", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch" }, "product_reference": "nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch" }, "product_reference": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src" }, "product_reference": "nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch" }, "product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src" }, "product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64 as a component of nodejs:14:8040020211213111158:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7788", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-12-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1907444" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ini: Prototype pollution via malicious INI file", "title": "Vulnerability summary" }, { "category": "other", "text": "Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in \"nodejs-npm\" component. Processing malicious files using npm could potentially trigger this vulnerability. The \"ini\" package bundled with npm was not in the library path where it could be included directly in other programs.\n\nThe nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini library. Usage of that library is governed by nodemon itself, so applications started by nodemon are not impacted. Further, nodemon is a developer tool not intended to be used in production.\n\nThe ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7788" }, { "category": "external", "summary": "RHBZ#1907444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907444" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7788", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7788" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788" } ], "release_date": "2020-12-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ini: Prototype pollution via malicious INI file" }, { "cve": "CVE-2020-28469", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1945459" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent function. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-glob-parent: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:\n - OpenShift Container Platform (OCP)\n - OpenShift ServiceMesh (OSSM)\n - Red Hat Advanced Cluster Management for Kubernetes (RHACM)\n - OpenShift distributed tracing", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-28469" }, { "category": "external", "summary": "RHBZ#1945459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945459" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-28469", "url": "https://www.cve.org/CVERecord?id=CVE-2020-28469" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", "url": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905" } ], "release_date": "2021-01-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-glob-parent: Regular expression denial of service" }, { "cve": "CVE-2021-3807", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2007557" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw requires crafted invalid ANSI escape codes in order to be exploited and only allows for denial of service of applications on the client side, hence the impact has been rated as Moderate.\n\nIn Red Hat Virtualization and Red Hat Quay some components use a vulnerable version of ansi-regex. However, all frontend code is executed on the client side. As the maximum impact of this vulnerability is denial of service in the client, the vulnerability is rated Moderate for those products.\n\nOpenShift Container Platform 4 (OCP) ships affected version of ansi-regex in the ose-metering-hadoop container, however the metering operator is deprecated since 4.6[1]. This issue is not currently planned to be addressed in future updates and hence hadoop container has been marked as \u0027will not fix\u0027.\n\nAdvanced Cluster Management for Kubernetes (RHACM) ships the affected version of ansi-regex in several containers, however the impact of this vulnerability is deemed low as it would result in an authenticated slowing down their own user interface. \n\n[1] https://docs.openshift.com/container-platform/4.6/metering/metering-about-metering.html", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3807" }, { "category": "external", "summary": "RHBZ#2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3807", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "category": "external", "summary": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" } ], "release_date": "2021-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes" }, { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-33502", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-05-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1964461" } ], "notes": [ { "category": "description", "text": "A flaw was found in normalize-url. Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-normalize-url: ReDoS for data URLs", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33502" }, { "category": "external", "summary": "RHBZ#1964461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964461" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33502", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33502" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33502", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33502" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539", "url": "https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539" } ], "release_date": "2021-05-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-normalize-url: ReDoS for data URLs" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-25T09:28:51+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0246" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debuginfo-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-debugsource-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-devel-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-docs-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-full-i18n-1:14.18.2-2.module+el8.4.0+13643+6c0ebf22.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-nodemon-0:2.0.15-1.module+el8.4.0+13503+fc29810b.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.s390x", "AppStream-8.4.0.Z.EUS:nodejs:14:8040020211213111158:522a0ee4:npm-1:6.14.15-1.14.18.2.2.module+el8.4.0+13643+6c0ebf22.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" } ] }
rhea-2022_5139
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084651)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHEA-2022:5139", "url": "https://access.redhat.com/errata/RHEA-2022:5139" }, { "category": "external", "summary": "2084651", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084651" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5139.json" } ], "title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:55:22+00:00", "generator": { "date": "2024-12-17T22:55:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHEA-2022:5139", "initial_release_date": "2022-06-21T12:40:06+00:00", "revision_history": [ { "date": "2022-06-21T12:40:06+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-21T12:40:06+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:55:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:12:8060020220523160029:ad008a3a", "product": { "name": "nodejs:12:8060020220523160029:ad008a3a", "product_id": "nodejs:12:8060020220523160029:ad008a3a", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@12:8060020220523160029:ad008a3a" } } }, { "category": "product_version", "name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "product": { "name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "product_id": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=aarch64\u0026epoch=1" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "product": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=s390x\u0026epoch=1" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.6.0%2B15324%2B1f2c5d8d?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, "product_reference": "nodejs:12:8060020220523160029:ad008a3a", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch" }, "product_reference": "nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch" }, "product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src" }, "product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64 as a component of nodejs:12:8060020220523160029:ad008a3a as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64", "relates_to_product_reference": "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-44531", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040839" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Improper handling of URI Subject Alternative Names", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44531" }, { "category": "external", "summary": "RHBZ#2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Improper handling of URI Subject Alternative Names" }, { "cve": "CVE-2021-44532", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040846" } ], "notes": [ { "category": "description", "text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Certificate Verification Bypass via String Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44532" }, { "category": "external", "summary": "RHBZ#2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Certificate Verification Bypass via String Injection" }, { "cve": "CVE-2021-44533", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040856" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Incorrect handling of certificate subject and issuer fields", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44533" }, { "category": "external", "summary": "RHBZ#2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Incorrect handling of certificate subject and issuer fields" }, { "cve": "CVE-2022-21824", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040862" } ], "notes": [ { "category": "description", "text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Prototype pollution via console.table properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21824" }, { "category": "external", "summary": "RHBZ#2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-21T12:40:06+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debuginfo-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-debugsource-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-devel-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-docs-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-full-i18n-1:12.22.12-1.module+el8.6.0+15324+1f2c5d8d.x86_64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.aarch64", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.ppc64le", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.s390x", "AppStream-8.6.0.Z.MAIN.EUS:nodejs:12:8060020220523160029:ad008a3a:npm-1:6.14.16-1.12.22.12.1.module+el8.6.0+15324+1f2c5d8d.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs: Prototype pollution via console.table properties" } ] }
rhea-2022_4925
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084654)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHEA-2022:4925", "url": "https://access.redhat.com/errata/RHEA-2022:4925" }, { "category": "external", "summary": "2084654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084654" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_4925.json" } ], "title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:54:54+00:00", "generator": { "date": "2024-12-17T22:54:54+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHEA-2022:4925", "initial_release_date": "2022-06-07T08:24:22+00:00", "revision_history": [ { "date": "2022-06-07T08:24:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-07T08:24:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:54:54+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:12:8010020220518102644:c27ad7f8", "product": { "name": "nodejs:12:8010020220518102644:c27ad7f8", "product_id": "nodejs:12:8010020220518102644:c27ad7f8", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@12:8010020220518102644:c27ad7f8" } } }, { "category": "product_version", "name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "product": { "name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "product_id": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "product": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.1.0%2B15296%2B87b2f6ad?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, "product_reference": "nodejs:12:8010020220518102644:c27ad7f8", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch" }, "product_reference": "nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64 as a component of nodejs:12:8010020220518102644:c27ad7f8 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-44531", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040839" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Improper handling of URI Subject Alternative Names", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44531" }, { "category": "external", "summary": "RHBZ#2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Improper handling of URI Subject Alternative Names" }, { "cve": "CVE-2021-44532", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040846" } ], "notes": [ { "category": "description", "text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Certificate Verification Bypass via String Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44532" }, { "category": "external", "summary": "RHBZ#2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Certificate Verification Bypass via String Injection" }, { "cve": "CVE-2021-44533", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040856" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Incorrect handling of certificate subject and issuer fields", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44533" }, { "category": "external", "summary": "RHBZ#2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Incorrect handling of certificate subject and issuer fields" }, { "cve": "CVE-2022-21824", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040862" } ], "notes": [ { "category": "description", "text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Prototype pollution via console.table properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21824" }, { "category": "external", "summary": "RHBZ#2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-07T08:24:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:4925" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debuginfo-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-debugsource-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-devel-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-docs-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-full-i18n-1:12.22.12-1.module+el8.1.0+15296+87b2f6ad.x86_64", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.ppc64le", "AppStream-8.1.0.Z.E4S:nodejs:12:8010020220518102644:c27ad7f8:npm-1:6.14.16-1.12.22.12.1.module+el8.1.0+15296+87b2f6ad.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs: Prototype pollution via console.table properties" } ] }
rhsa-2022_0041
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.18.2). (BZ#2031766)\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)\n\n* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)\n\n* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0041", "url": "https://access.redhat.com/errata/RHSA-2022:0041" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "2031766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031766" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0041.json" } ], "title": "Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update", "tracking": { "current_release_date": "2024-12-17T22:54:11+00:00", "generator": { "date": "2024-12-17T22:54:11+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:0041", "initial_release_date": "2022-01-06T18:43:03+00:00", "revision_history": [ { "date": "2022-01-06T18:43:03+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-06T18:43:03+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:54:11+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "product": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "product_id": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.18.2-1.el7?arch=src" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "product": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "product_id": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-nodemon@2.0.3-6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "product": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "product_id": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.18.2-1.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "product": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "product_id": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.18.2-1.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "product": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "product_id": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.15-14.18.2.1.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "product": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "product_id": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.18.2-1.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "product": { "name": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "product_id": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-docs@14.18.2-1.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "product": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "product_id": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-nodemon@2.0.3-6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "product": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "product_id": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.18.2-1.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "product": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "product_id": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.18.2-1.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "product": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "product_id": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.15-14.18.2.1.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "product": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "product_id": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.18.2-1.el7?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "product": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "product_id": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs@14.18.2-1.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "product": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "product_id": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-devel@14.18.2-1.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "product": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "product_id": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-npm@6.14.15-14.18.2.1.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "product": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "product_id": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs14-nodejs-debuginfo@14.18.2-1.el7?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch" }, "product_reference": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch" }, "product_reference": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src" }, "product_reference": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64" }, "product_reference": "rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch" }, "product_reference": "rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch" }, "product_reference": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src" }, "product_reference": "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" }, "product_reference": "rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3807", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2007557" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw requires crafted invalid ANSI escape codes in order to be exploited and only allows for denial of service of applications on the client side, hence the impact has been rated as Moderate.\n\nIn Red Hat Virtualization and Red Hat Quay some components use a vulnerable version of ansi-regex. However, all frontend code is executed on the client side. As the maximum impact of this vulnerability is denial of service in the client, the vulnerability is rated Moderate for those products.\n\nOpenShift Container Platform 4 (OCP) ships affected version of ansi-regex in the ose-metering-hadoop container, however the metering operator is deprecated since 4.6[1]. This issue is not currently planned to be addressed in future updates and hence hadoop container has been marked as \u0027will not fix\u0027.\n\nAdvanced Cluster Management for Kubernetes (RHACM) ships the affected version of ansi-regex in several containers, however the impact of this vulnerability is deemed low as it would result in an authenticated slowing down their own user interface. \n\n[1] https://docs.openshift.com/container-platform/4.6/metering/metering-about-metering.html", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3807" }, { "category": "external", "summary": "RHBZ#2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3807", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "category": "external", "summary": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" } ], "release_date": "2021-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes" }, { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-06T18:43:03+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0041" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-debuginfo-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-devel-0:14.18.2-1.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-docs-0:14.18.2-1.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs14-npm-0:6.14.15-14.18.2.1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" } ] }
rhea-2022_5615
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084652)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHEA-2022:5615", "url": "https://access.redhat.com/errata/RHEA-2022:5615" }, { "category": "external", "summary": "2084652", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084652" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5615.json" } ], "title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:55:03+00:00", "generator": { "date": "2024-12-17T22:55:03+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHEA-2022:5615", "initial_release_date": "2022-07-19T21:07:21+00:00", "revision_history": [ { "date": "2022-07-19T21:07:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-07-19T21:07:21+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:55:03+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:12:8040020220523155137:522a0ee4", "product": { "name": "nodejs:12:8040020220523155137:522a0ee4", "product_id": "nodejs:12:8040020220523155137:522a0ee4", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@12:8040020220523155137:522a0ee4" } } }, { "category": "product_version", "name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "product": { "name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "product_id": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=aarch64\u0026epoch=1" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "product": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product_id": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.3-1.module%2Bel8.4.0%2B11732%2Bc668cc9f?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=s390x\u0026epoch=1" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.4.0%2B15323%2B4d1cc445?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, "product_reference": "nodejs:12:8040020220523155137:522a0ee4", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch" }, "product_reference": "nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch" }, "product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src" }, "product_reference": "nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64 as a component of nodejs:12:8040020220523155137:522a0ee4 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-44531", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040839" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Improper handling of URI Subject Alternative Names", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44531" }, { "category": "external", "summary": "RHBZ#2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Improper handling of URI Subject Alternative Names" }, { "cve": "CVE-2021-44532", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040846" } ], "notes": [ { "category": "description", "text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Certificate Verification Bypass via String Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44532" }, { "category": "external", "summary": "RHBZ#2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Certificate Verification Bypass via String Injection" }, { "cve": "CVE-2021-44533", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040856" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Incorrect handling of certificate subject and issuer fields", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44533" }, { "category": "external", "summary": "RHBZ#2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Incorrect handling of certificate subject and issuer fields" }, { "cve": "CVE-2022-21824", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040862" } ], "notes": [ { "category": "description", "text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Prototype pollution via console.table properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21824" }, { "category": "external", "summary": "RHBZ#2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-19T21:07:21+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5615" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debuginfo-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-debugsource-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-devel-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-docs-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-full-i18n-1:12.22.12-1.module+el8.4.0+15323+4d1cc445.x86_64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-nodemon-0:2.0.3-1.module+el8.4.0+11732+c668cc9f.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.aarch64", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.ppc64le", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.s390x", "AppStream-8.4.0.Z.EUS:nodejs:12:8040020220523155137:522a0ee4:npm-1:6.14.16-1.12.22.12.1.module+el8.4.0+15323+4d1cc445.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs: Prototype pollution via console.table properties" } ] }
rhea-2022_5221
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs:12/nodejs: rebase to last upstream release (BZ#2084653)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHEA-2022:5221", "url": "https://access.redhat.com/errata/RHEA-2022:5221" }, { "category": "external", "summary": "2084653", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084653" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5221.json" } ], "title": "Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:55:12+00:00", "generator": { "date": "2024-12-17T22:55:12+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHEA-2022:5221", "initial_release_date": "2022-06-28T07:58:19+00:00", "revision_history": [ { "date": "2022-06-28T07:58:19+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-28T07:58:19+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:55:12+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:12:8020020220523154454:4cda2c84", "product": { "name": "nodejs:12:8020020220523154454:4cda2c84", "product_id": "nodejs:12:8020020220523154454:4cda2c84", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@12:8020020220523154454:4cda2c84" } } }, { "category": "product_version", "name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "product": { "name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "product_id": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=aarch64\u0026epoch=1" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "product": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@1.18.3-1.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_id": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@17-3.module%2Bel8.1.0%2B3369%2B37ae6a45?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=s390x\u0026epoch=1" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@12.22.12-1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64", "product": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_id": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.16-1.12.22.12.1.module%2Bel8.2.0%2B15322%2Ba70ca0ab?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, "product_reference": "nodejs:12:8020020220523154454:4cda2c84", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch" }, "product_reference": "nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src" }, "product_reference": "nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64 as a component of nodejs:12:8020020220523154454:4cda2c84 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" }, "product_reference": "npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-44531", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040839" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Improper handling of URI Subject Alternative Names", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44531" }, { "category": "external", "summary": "RHBZ#2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Improper handling of URI Subject Alternative Names" }, { "cve": "CVE-2021-44532", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040846" } ], "notes": [ { "category": "description", "text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Certificate Verification Bypass via String Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44532" }, { "category": "external", "summary": "RHBZ#2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Certificate Verification Bypass via String Injection" }, { "cve": "CVE-2021-44533", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040856" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Incorrect handling of certificate subject and issuer fields", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44533" }, { "category": "external", "summary": "RHBZ#2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Incorrect handling of certificate subject and issuer fields" }, { "cve": "CVE-2022-21824", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040862" } ], "notes": [ { "category": "description", "text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Prototype pollution via console.table properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21824" }, { "category": "external", "summary": "RHBZ#2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-28T07:58:19+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHEA-2022:5221" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debuginfo-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-debugsource-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-devel-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-docs-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-full-i18n-1:12.22.12-1.module+el8.2.0+15322+a70ca0ab.x86_64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-nodemon-0:1.18.3-1.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.noarch", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:nodejs-packaging-0:17-3.module+el8.1.0+3369+37ae6a45.src", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.aarch64", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.ppc64le", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.s390x", "AppStream-8.2.0.Z.EUS:nodejs:12:8020020220523154454:4cda2c84:npm-1:6.14.16-1.12.22.12.1.module+el8.2.0+15322+a70ca0ab.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs: Prototype pollution via console.table properties" } ] }
rhsa-2022_0350
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609)\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)\n\n* normalize-url: ReDoS for data URLs (CVE-2021-33502)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)\n\n* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)\n\n* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0350", "url": "https://access.redhat.com/errata/RHSA-2022:0350" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1907444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907444" }, { "category": "external", "summary": "1945459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945459" }, { "category": "external", "summary": "1964461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964461" }, { "category": "external", "summary": "1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0350.json" } ], "title": "Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:54:28+00:00", "generator": { "date": "2024-12-17T22:54:28+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:0350", "initial_release_date": "2022-02-01T21:18:22+00:00", "revision_history": [ { "date": "2022-02-01T21:18:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-01T21:18:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:54:28+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "nodejs:14:8050020211213115342:c5368500", "product": { "name": "nodejs:14:8050020211213115342:c5368500", "product_id": "nodejs:14:8050020211213115342:c5368500", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/nodejs@14:8050020211213115342:c5368500" } } }, { "category": "product_version", "name": "nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "product": { "name": "nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "product_id": "nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-docs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "product": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "product_id": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.15-1.module%2Bel8.5.0%2B13504%2Ba2e74d91?arch=noarch" } } }, { "category": "product_version", "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=ppc64le\u0026epoch=1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "product": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "product_id": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "product": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "product_id": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-nodemon@2.0.15-1.module%2Bel8.5.0%2B13504%2Ba2e74d91?arch=src" } } }, { "category": "product_version", "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product_id": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-packaging@23-3.module%2Bel8.3.0%2B6519%2B9f98ed83?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=aarch64\u0026epoch=1" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=s390x\u0026epoch=1" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debuginfo@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-debugsource@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-devel@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/nodejs-full-i18n@14.18.2-2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } }, { "category": "product_version", "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64", "product": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64", "product_id": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/npm@6.14.15-1.14.18.2.2.module%2Bel8.5.0%2B13644%2B8d46dafd?arch=x86_64\u0026epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, "product_reference": "nodejs:14:8050020211213115342:c5368500", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch" }, "product_reference": "nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch" }, "product_reference": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src" }, "product_reference": "nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch" }, "product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src" }, "product_reference": "nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64 as a component of nodejs:14:8050020211213115342:c5368500 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" }, "product_reference": "npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7788", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-12-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1907444" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ini: Prototype pollution via malicious INI file", "title": "Vulnerability summary" }, { "category": "other", "text": "Node.JS packages in Red Hat Enterprise Linux and Red Hat Software Collections included the vulnerable dependency packaged in \"nodejs-npm\" component. Processing malicious files using npm could potentially trigger this vulnerability. The \"ini\" package bundled with npm was not in the library path where it could be included directly in other programs.\n\nThe nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini library. Usage of that library is governed by nodemon itself, so applications started by nodemon are not impacted. Further, nodemon is a developer tool not intended to be used in production.\n\nThe ini package is included in Red Hat Quay by protractor and webpack-cli, both of which are dev dependencies.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7788" }, { "category": "external", "summary": "RHBZ#1907444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907444" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7788", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7788" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788" } ], "release_date": "2020-12-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ini: Prototype pollution via malicious INI file" }, { "cve": "CVE-2020-28469", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1945459" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent function. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-glob-parent: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "While some components do package a vulnerable version of glob-parent, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products:\n - OpenShift Container Platform (OCP)\n - OpenShift ServiceMesh (OSSM)\n - Red Hat Advanced Cluster Management for Kubernetes (RHACM)\n - OpenShift distributed tracing", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-28469" }, { "category": "external", "summary": "RHBZ#1945459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945459" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-28469", "url": "https://www.cve.org/CVERecord?id=CVE-2020-28469" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", "url": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905" } ], "release_date": "2021-01-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-glob-parent: Regular expression denial of service" }, { "cve": "CVE-2021-3807", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2007557" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw requires crafted invalid ANSI escape codes in order to be exploited and only allows for denial of service of applications on the client side, hence the impact has been rated as Moderate.\n\nIn Red Hat Virtualization and Red Hat Quay some components use a vulnerable version of ansi-regex. However, all frontend code is executed on the client side. As the maximum impact of this vulnerability is denial of service in the client, the vulnerability is rated Moderate for those products.\n\nOpenShift Container Platform 4 (OCP) ships affected version of ansi-regex in the ose-metering-hadoop container, however the metering operator is deprecated since 4.6[1]. This issue is not currently planned to be addressed in future updates and hence hadoop container has been marked as \u0027will not fix\u0027.\n\nAdvanced Cluster Management for Kubernetes (RHACM) ships the affected version of ansi-regex in several containers, however the impact of this vulnerability is deemed low as it would result in an authenticated slowing down their own user interface. \n\n[1] https://docs.openshift.com/container-platform/4.6/metering/metering-about-metering.html", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3807" }, { "category": "external", "summary": "RHBZ#2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3807", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "category": "external", "summary": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" } ], "release_date": "2021-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes" }, { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-33502", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-05-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1964461" } ], "notes": [ { "category": "description", "text": "A flaw was found in normalize-url. Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-normalize-url: ReDoS for data URLs", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33502" }, { "category": "external", "summary": "RHBZ#1964461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964461" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33502", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33502" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33502", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33502" }, { "category": "external", "summary": "https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539", "url": "https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539" } ], "release_date": "2021-05-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-normalize-url: ReDoS for data URLs" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-01T21:18:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0350" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debuginfo-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-debugsource-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-devel-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-docs-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-full-i18n-1:14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-nodemon-0:2.0.15-1.module+el8.5.0+13504+a2e74d91.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.noarch", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:nodejs-packaging-0:23-3.module+el8.3.0+6519+9f98ed83.src", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x", "AppStream-8.5.0.Z.MAIN:nodejs:14:8050020211213115342:c5368500:npm-1:6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" } ] }
rhsa-2022_4914
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.12). This is the last planned rebase before the collection reaches End of Life.\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)\n\n* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)\n\n* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)\n\n* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)\n\n* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)\n\n* minimist: prototype pollution (CVE-2021-44906)\n\n* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)\n\n* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)\n\n* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:4914", "url": "https://access.redhat.com/errata/RHSA-2022:4914" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4914.json" } ], "title": "Red Hat Security Advisory: rh-nodejs12-nodejs security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-12-17T22:55:06+00:00", "generator": { "date": "2024-12-17T22:55:06+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2022:4914", "initial_release_date": "2022-06-06T09:29:16+00:00", "revision_history": [ { "date": "2022-06-06T09:29:16+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-06T09:29:16+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T22:55:06+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "product": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "product_id": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs@12.22.12-2.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "product": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "product_id": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs@12.22.12-2.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "product": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "product_id": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-devel@12.22.12-2.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "product": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "product_id": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-npm@6.14.16-12.22.12.2.el7?arch=x86_64" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "product": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "product_id": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-debuginfo@12.22.12-2.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "product": { "name": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "product_id": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-docs@12.22.12-2.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "product": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "product_id": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs@12.22.12-2.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "product": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "product_id": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-devel@12.22.12-2.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "product": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "product_id": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-npm@6.14.16-12.22.12.2.el7?arch=s390x" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "product": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "product_id": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-debuginfo@12.22.12-2.el7?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "product": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "product_id": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs@12.22.12-2.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "product": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "product_id": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-devel@12.22.12-2.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "product": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "product_id": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-npm@6.14.16-12.22.12.2.el7?arch=ppc64le" } } }, { "category": "product_version", "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "product": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "product_id": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-nodejs12-nodejs-debuginfo@12.22.12-2.el7?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch" }, "product_reference": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64 as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64" }, "product_reference": "rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch" }, "product_reference": "rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64 as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" }, "product_reference": "rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3918", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2021-11-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2024702" } ], "notes": [ { "category": "description", "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-json-schema: Prototype pollution vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3918" }, { "category": "external", "summary": "RHBZ#2024702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" } ], "release_date": "2021-10-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-json-schema: Prototype pollution vulnerability" }, { "cve": "CVE-2021-22959", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014057" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling due to spaces in headers", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22959" }, { "category": "external", "summary": "RHBZ#2014057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22959", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22959" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22959" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling due to spaces in headers" }, { "cve": "CVE-2021-22960", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-10-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2014059" } ], "notes": [ { "category": "description", "text": "An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22960" }, { "category": "external", "summary": "RHBZ#2014059", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014059" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22960", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22960" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/" } ], "release_date": "2021-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "llhttp: HTTP Request Smuggling when parsing the body of chunked requests" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-44531", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040839" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js where it accepted a certificate\u0027s Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Improper handling of URI Subject Alternative Names", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44531" }, { "category": "external", "summary": "RHBZ#2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44531", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44531" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Improper handling of URI Subject Alternative Names" }, { "cve": "CVE-2021-44532", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040846" } ], "notes": [ { "category": "description", "text": "It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Certificate Verification Bypass via String Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44532" }, { "category": "external", "summary": "RHBZ#2040846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44532", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44532" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Certificate Verification Bypass via String Injection" }, { "cve": "CVE-2021-44533", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040856" } ], "notes": [ { "category": "description", "text": "A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Incorrect handling of certificate subject and issuer fields", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally, there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore, the Quay component is marked as \"Will not fix\" with impact LOW.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44533" }, { "category": "external", "summary": "RHBZ#2040856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44533", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44533" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs: Incorrect handling of certificate subject and issuer fields" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "cve": "CVE-2022-21824", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "discovery_date": "2022-01-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2040862" } ], "notes": [ { "category": "description", "text": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js \u003e= 12.22.9, \u003e= 14.18.3, \u003e= 16.13.2, and \u003e= 17.3.1 use a null protoype for the object these properties are being assigned to.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs: Prototype pollution via console.table properties", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\".", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21824" }, { "category": "external", "summary": "RHBZ#2040862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21824", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21824" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-06T09:29:16+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Server-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Server-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.src", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-debuginfo-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-devel-0:12.22.12-2.el7.x86_64", "7Workstation-RHSCL-3.8:rh-nodejs12-nodejs-docs-0:12.22.12-2.el7.noarch", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.ppc64le", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.s390x", "7Workstation-RHSCL-3.8:rh-nodejs12-npm-0:6.14.16-12.22.12.2.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs: Prototype pollution via console.table properties" } ] }
rhsa-2021_5086
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Data Foundation is software-defined storage integrated\nwith and optimized for the Red Hat OpenShift Container Platform. Red Hat\nOpenShift Data Foundation is a highly scalable, production-grade persistent\nstorage for stateful applications running in the Red Hat OpenShift\nContainer Platform. In addition to persistent storage, Red Hat OpenShift\nData Foundation provisions a multicloud data management service with an S3\ncompatible API.\n\nSecurity Fix(es):\n\n* kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel \u003e= 9 (CVE-2020-8565)\n\n* nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)\n\n* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)\n\n* golang: net: lookup functions may return invalid host names (CVE-2021-33195)\n\n* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)\n\n* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\n* nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)\n\n* nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information refer to the CVE\npage(s) listed in the References section.\n\nThese updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index\n\nAll Red Hat OpenShift Data Foundation users are advised to upgrade to\nthese updated images, which provide numerous bug fixes and enhancements.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5086", "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1810525", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810525" }, { "category": "external", "summary": "1853638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853638" }, { "category": "external", "summary": "1886638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886638" }, { "category": "external", "summary": "1890438", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1890438" }, { "category": "external", "summary": "1890978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1890978" }, { "category": "external", "summary": "1892709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1892709" }, { "category": "external", "summary": "1901954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901954" }, { "category": "external", "summary": "1910790", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1910790" }, { "category": "external", "summary": "1927782", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927782" }, { "category": "external", "summary": "1929242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1929242" }, { "category": "external", "summary": "1932396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1932396" }, { "category": "external", "summary": "1934625", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934625" }, { "category": "external", "summary": "1956285", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956285" }, { "category": "external", "summary": "1959793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1959793" }, { "category": "external", "summary": "1964083", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964083" }, { "category": "external", "summary": "1965322", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965322" }, { "category": "external", "summary": "1968510", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968510" }, { "category": "external", "summary": "1968606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968606" }, { "category": "external", "summary": "1969216", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969216" }, { "category": "external", "summary": "1973256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1973256" }, { "category": "external", "summary": "1975272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975272" }, { "category": "external", "summary": "1975581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975581" }, { "category": "external", "summary": "1979244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979244" }, { "category": "external", "summary": "1979502", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979502" }, { "category": "external", "summary": "1980818", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980818" }, { "category": "external", "summary": "1981331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981331" }, { "category": "external", "summary": "1983596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596" }, { "category": "external", "summary": "1983756", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983756" }, { "category": "external", "summary": "1984284", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1984284" }, { "category": "external", "summary": "1984334", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1984334" }, { "category": "external", "summary": "1984396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1984396" }, { "category": "external", "summary": "1984735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1984735" }, { "category": "external", "summary": "1985074", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1985074" }, { "category": "external", "summary": "1986444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1986444" }, { "category": "external", "summary": "1986794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1986794" }, { "category": "external", "summary": "1987806", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1987806" }, { "category": "external", "summary": "1988518", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1988518" }, { "category": "external", "summary": "1989482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989482" }, { "category": "external", "summary": "1989564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989564" }, { "category": "external", "summary": "1989570", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989570" }, { "category": "external", "summary": "1989575", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989575" }, { "category": "external", "summary": "1990230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990230" }, { "category": "external", "summary": "1990409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409" }, { "category": "external", "summary": "1990415", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415" }, { "category": "external", "summary": "1991822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991822" }, { "category": "external", "summary": "1992472", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992472" }, { "category": "external", "summary": "1994261", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994261" }, { "category": "external", "summary": "1994577", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994577" }, { "category": "external", "summary": "1994584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994584" }, { "category": "external", "summary": "1994602", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994602" }, { "category": "external", "summary": "1994606", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994606" }, { "category": "external", "summary": "1994687", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994687" }, { "category": "external", "summary": "1995009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995009" }, { "category": "external", "summary": "1995056", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995056" }, { "category": "external", "summary": "1995271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995271" }, { "category": "external", "summary": "1995718", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995718" }, { "category": "external", "summary": "1997237", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997237" }, { "category": "external", "summary": "1997624", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997624" }, { "category": "external", "summary": "1997738", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997738" }, { "category": "external", "summary": "1997922", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997922" }, { "category": "external", "summary": "1998851", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1998851" }, { "category": "external", "summary": "1999050", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999050" }, { "category": "external", "summary": "1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "1999748", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999748" }, { "category": "external", "summary": "1999763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999763" }, { "category": "external", "summary": "1999767", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999767" }, { "category": "external", "summary": "2000082", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000082" }, { "category": "external", "summary": "2000098", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000098" }, { "category": "external", "summary": "2000143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000143" }, { "category": "external", "summary": "2000190", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000190" }, { "category": "external", "summary": "2000579", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000579" }, { "category": "external", "summary": "2000588", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000588" }, { "category": "external", "summary": "2000860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000860" }, { "category": "external", "summary": "2000865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000865" }, { "category": "external", "summary": "2001482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001482" }, { "category": "external", "summary": "2001539", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001539" }, { "category": "external", "summary": "2001580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001580" }, { "category": "external", "summary": "2001970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001970" }, { "category": "external", "summary": "2002225", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2002225" }, { "category": "external", "summary": "2003444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2003444" }, { "category": "external", "summary": "2003904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2003904" }, { "category": "external", "summary": "2004003", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004003" }, { "category": "external", "summary": "2004013", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004013" }, { "category": "external", "summary": "2004030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004030" }, { "category": "external", "summary": "2004824", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004824" }, { "category": "external", "summary": "2005103", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005103" }, { "category": "external", "summary": "2005290", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005290" }, { "category": "external", "summary": "2005812", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005812" }, { "category": "external", "summary": "2005838", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005838" }, { "category": "external", "summary": "2005843", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005843" }, { "category": "external", "summary": "2005937", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005937" }, { "category": "external", "summary": "2006176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006176" }, { "category": "external", "summary": "2006865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006865" }, { "category": "external", "summary": "2007130", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007130" }, { "category": "external", "summary": "2007202", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007202" }, { "category": "external", "summary": "2007212", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007212" }, { "category": "external", "summary": "2007377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007377" }, { "category": "external", "summary": "2007717", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007717" }, { "category": "external", "summary": "2010041", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010041" }, { "category": "external", "summary": "2010185", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010185" }, { "category": "external", "summary": "2010188", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010188" }, { "category": "external", "summary": "2010194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010194" }, { "category": "external", "summary": "2010202", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010202" }, { "category": "external", "summary": "2011225", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011225" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5086.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update", "tracking": { "current_release_date": "2024-12-17T17:58:27+00:00", "generator": { "date": "2024-12-17T17:58:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2021:5086", "initial_release_date": "2021-12-13T19:26:22+00:00", "revision_history": [ { "date": "2021-12-13T19:26:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-13T19:26:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T17:58:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product": { "name": "Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Data Foundation" }, { "branches": [ { "category": "product_version", "name": "odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "product": { "name": "odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "product_id": "odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "product_identification_helper": { "purl": "pkg:oci/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745?arch=s390x\u0026repository_url=registry.redhat.io/odf4/cephcsi-rhel8\u0026tag=4.9-164.57484e3.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "product": { "name": "odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "product_id": "odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "product_identification_helper": { "purl": "pkg:oci/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349?arch=s390x\u0026repository_url=registry.redhat.io/odf4/ocs-must-gather-rhel8\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "product": { "name": "odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "product_id": "odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "product_identification_helper": { "purl": "pkg:oci/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8?arch=s390x\u0026repository_url=registry.redhat.io/odf4/ocs-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "product": { "name": "odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "product_id": "odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "product_identification_helper": { "purl": "pkg:oci/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c?arch=s390x\u0026repository_url=registry.redhat.io/odf4/ocs-rhel8-operator\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "product": { "name": "odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "product_id": "odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odf-console-rhel8\u0026tag=4.9-39.0f2fa23.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "product": { "name": "odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "product_id": "odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product_id": "odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product": { "name": "odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product_id": "odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb?arch=s390x\u0026repository_url=registry.redhat.io/odf/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "product": { "name": "odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "product_id": "odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odf-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "product": { "name": "odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "product_id": "odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "product_identification_helper": { "purl": "pkg:oci/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odf-rhel8-operator\u0026tag=4.9-59.c8bbc1f.release_4.9" } } }, { "category": "product_version", "name": "odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "product": { "name": "odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "product_id": "odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "product_identification_helper": { "purl": "pkg:oci/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odr-cluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "product": { "name": "odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "product_id": "odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "product_identification_helper": { "purl": "pkg:oci/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odr-hub-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "product": { "name": "odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "product_id": "odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "product_identification_helper": { "purl": "pkg:oci/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1?arch=s390x\u0026repository_url=registry.redhat.io/odf4/odr-rhel8-operator\u0026tag=4.9-27.3d037cc.release_4.9" } } }, { "category": "product_version", "name": "odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "product": { "name": "odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "product_id": "odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "product_identification_helper": { "purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3?arch=s390x\u0026repository_url=registry.redhat.io/odf4/rook-ceph-rhel8-operator\u0026tag=4.9-219.c3f67c6.release_4.9" } } }, { "category": "product_version", "name": "odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "product": { "name": "odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "product_id": "odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "product_identification_helper": { "purl": "pkg:oci/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe?arch=s390x\u0026repository_url=registry.redhat.io/odf4/volume-replication-rhel8-operator\u0026tag=4.9-28.82f68db.release_4.9" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "product": { "name": "odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "product_id": "odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "product_identification_helper": { "purl": "pkg:oci/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/cephcsi-rhel8\u0026tag=4.9-164.57484e3.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "product": { "name": "odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "product_id": "odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/ocs-must-gather-rhel8\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "product": { "name": "odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "product_id": "odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/ocs-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "product": { "name": "odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "product_id": "odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/ocs-rhel8-operator\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "product": { "name": "odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "product_id": "odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odf-console-rhel8\u0026tag=4.9-39.0f2fa23.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "product": { "name": "odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "product_id": "odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product_id": "odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product": { "name": "odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product_id": "odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039?arch=ppc64le\u0026repository_url=registry.redhat.io/odf/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "product": { "name": "odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "product_id": "odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odf-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "product": { "name": "odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "product_id": "odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odf-rhel8-operator\u0026tag=4.9-59.c8bbc1f.release_4.9" } } }, { "category": "product_version", "name": "odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "product": { "name": "odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "product_id": "odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odr-cluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "product": { "name": "odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "product_id": "odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odr-hub-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "product": { "name": "odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "product_id": "odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "product_identification_helper": { "purl": "pkg:oci/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/odr-rhel8-operator\u0026tag=4.9-27.3d037cc.release_4.9" } } }, { "category": "product_version", "name": "odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "product": { "name": "odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "product_id": "odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "product_identification_helper": { "purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/rook-ceph-rhel8-operator\u0026tag=4.9-219.c3f67c6.release_4.9" } } }, { "category": "product_version", "name": "odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le", "product": { "name": "odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le", "product_id": "odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le", "product_identification_helper": { "purl": "pkg:oci/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927?arch=ppc64le\u0026repository_url=registry.redhat.io/odf4/volume-replication-rhel8-operator\u0026tag=4.9-28.82f68db.release_4.9" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "product": { "name": "odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "product_id": "odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "product_identification_helper": { "purl": "pkg:oci/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95?arch=amd64\u0026repository_url=registry.redhat.io/odf4/cephcsi-rhel8\u0026tag=4.9-164.57484e3.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "product": { "name": "odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "product_id": "odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "product_identification_helper": { "purl": "pkg:oci/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d?arch=amd64\u0026repository_url=registry.redhat.io/odf4/ocs-must-gather-rhel8\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "product": { "name": "odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "product_id": "odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "product_identification_helper": { "purl": "pkg:oci/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f?arch=amd64\u0026repository_url=registry.redhat.io/odf4/ocs-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "product": { "name": "odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "product_id": "odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "product_identification_helper": { "purl": "pkg:oci/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479?arch=amd64\u0026repository_url=registry.redhat.io/odf4/ocs-rhel8-operator\u0026tag=4.9-257.4181add.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "product": { "name": "odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "product_id": "odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odf-console-rhel8\u0026tag=4.9-39.0f2fa23.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "product": { "name": "odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "product_id": "odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product_id": "odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product": { "name": "odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product_id": "odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d?arch=amd64\u0026repository_url=registry.redhat.io/odf/odf-multicluster-rhel8-operator\u0026tag=4.9-30.007b3d8.release_4.9" } } }, { "category": "product_version", "name": "odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "product": { "name": "odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "product_id": "odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odf-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "product": { "name": "odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "product_id": "odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "product_identification_helper": { "purl": "pkg:oci/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odf-rhel8-operator\u0026tag=4.9-59.c8bbc1f.release_4.9" } } }, { "category": "product_version", "name": "odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "product": { "name": "odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "product_id": "odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "product_identification_helper": { "purl": "pkg:oci/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odr-cluster-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "product": { "name": "odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "product_id": "odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "product_identification_helper": { "purl": "pkg:oci/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odr-hub-operator-bundle\u0026tag=4.9.0-5" } } }, { "category": "product_version", "name": "odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "product": { "name": "odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "product_id": "odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "product_identification_helper": { "purl": "pkg:oci/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d?arch=amd64\u0026repository_url=registry.redhat.io/odf4/odr-rhel8-operator\u0026tag=4.9-27.3d037cc.release_4.9" } } }, { "category": "product_version", "name": "odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "product": { "name": "odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "product_id": "odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "product_identification_helper": { "purl": "pkg:oci/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4?arch=amd64\u0026repository_url=registry.redhat.io/odf4/rook-ceph-rhel8-operator\u0026tag=4.9-219.c3f67c6.release_4.9" } } }, { "category": "product_version", "name": "odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "product": { "name": "odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "product_id": "odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "product_identification_helper": { "purl": "pkg:oci/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336?arch=amd64\u0026repository_url=registry.redhat.io/odf4/volume-replication-rhel8-operator\u0026tag=4.9-28.82f68db.release_4.9" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le" }, "product_reference": "odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64" }, "product_reference": "odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x" }, "product_reference": "odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x" }, "product_reference": "odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64" }, "product_reference": "odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le" }, "product_reference": "odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x" }, "product_reference": "odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64" }, "product_reference": "odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le" }, "product_reference": "odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64" }, "product_reference": "odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le" }, "product_reference": "odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x" }, "product_reference": "odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64" }, "product_reference": "odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le" }, "product_reference": "odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x" }, "product_reference": "odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le" }, "product_reference": "odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64" }, "product_reference": "odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x" }, "product_reference": "odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64" }, "product_reference": "odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x" }, "product_reference": "odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le" }, "product_reference": "odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le" }, "product_reference": "odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64" }, "product_reference": "odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x" }, "product_reference": "odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64" }, "product_reference": "odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le" }, "product_reference": "odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x" }, "product_reference": "odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x" }, "product_reference": "odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64" }, "product_reference": "odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le" }, "product_reference": "odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x" }, "product_reference": "odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le" }, "product_reference": "odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64" }, "product_reference": "odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64" }, "product_reference": "odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le" }, "product_reference": "odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x" }, "product_reference": "odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le" }, "product_reference": "odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x" }, "product_reference": "odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64" }, "product_reference": "odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le" }, "product_reference": "odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x" }, "product_reference": "odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64" }, "product_reference": "odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64 as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64" }, "product_reference": "odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x" }, "product_reference": "odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "relates_to_product_reference": "8Base-RH-ODF-4.9" }, { "category": "default_component_of", "full_product_name": { "name": "odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le as a component of Red Hat OpenShift Data Foundation 4.9 on RHEL-8", "product_id": "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" }, "product_reference": "odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le", "relates_to_product_reference": "8Base-RH-ODF-4.9" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "the Kubernetes Product Security Committee" ] }, { "names": [ "Patrick Rhomberg" ], "organization": "purelyapplied", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2020-8565", "cwe": { "id": "CWE-117", "name": "Improper Output Neutralization for Logs" }, "discovery_date": "2020-10-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1886638" } ], "notes": [ { "category": "description", "text": "A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.", "title": "Vulnerability description" }, { "category": "summary", "text": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel \u003e= 9", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform 4 does not support LogLevels higher than 8 (via \u0027TraceAll\u0027), and is therefore not affected by this vulnerability.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-8565" }, { "category": "external", "summary": "RHBZ#1886638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886638" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8565", "url": "https://www.cve.org/CVERecord?id=CVE-2020-8565" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8565", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8565" }, { "category": "external", "summary": "https://github.com/kubernetes/kubernetes/issues/95623", "url": "https://github.com/kubernetes/kubernetes/issues/95623" }, { "category": "external", "summary": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk", "url": "https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk" } ], "release_date": "2020-10-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel \u003e= 9" }, { "cve": "CVE-2021-32803", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-04T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1990415" } ], "notes": [ { "category": "description", "text": "The npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay 3.3 uses an affected version of nodejs-tar. However Quay 3.3 is in extended life phase and a fix will not be delivered[1]. More recent versions of Red Hat Quay do not include nodejs-tar and are not affected.\n\n1. https://access.redhat.com/support/policy/updates/rhquay\n\nRed Hat Enterprise Linux version 8 and Red Hat Software Collection both embed node-tar in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-32803" }, { "category": "external", "summary": "RHBZ#1990415", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-32803", "url": "https://www.cve.org/CVERecord?id=CVE-2021-32803" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw" } ], "release_date": "2021-08-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-32804", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-04T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1990409" } ], "notes": [ { "category": "description", "text": "The npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Quay 3.3 uses an affected version of nodejs-tar. However Quay 3.3 is in extended life phase and a fix will not be delivered[1]. More recent versions of Red Hat Quay do not include nodejs-tar and are not affected.\n\n1. https://access.redhat.com/support/policy/updates/rhquay\n\nRed Hat Enterprise Linux version 8 and Red Hat Software Collection both embed node-tar in the npm command. A specially crafted node module could create and overwrite files outside of its dedicated directory.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-32804" }, { "category": "external", "summary": "RHBZ#1990409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-32804", "url": "https://www.cve.org/CVERecord?id=CVE-2021-32804" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9" } ], "release_date": "2021-08-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-33195", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-08-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1989564" } ], "notes": [ { "category": "description", "text": "A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net: lookup functions may return invalid host names", "title": "Vulnerability summary" }, { "category": "other", "text": "* Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the golang-qpid-apache package.\n\n* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33195" }, { "category": "external", "summary": "RHBZ#1989564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989564" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33195", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33195" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" } ], "release_date": "2021-05-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net: lookup functions may return invalid host names" }, { "cve": "CVE-2021-33197", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-08-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1989570" } ], "notes": [ { "category": "description", "text": "A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty", "title": "Vulnerability summary" }, { "category": "other", "text": "* Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* For Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the golang-qpid-apache package.\n\n* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33197" }, { "category": "external", "summary": "RHBZ#1989570", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989570" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33197", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33197" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33197", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33197" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" } ], "release_date": "2021-05-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty" }, { "cve": "CVE-2021-33198", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-08-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1989575" } ], "notes": [ { "category": "description", "text": "A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents", "title": "Vulnerability summary" }, { "category": "other", "text": "* Since OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* In Service Telemetry Framework, because the flaw has a lower impact and the package is not directly used by STF, no updates will be provided at this time for the STF containers.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33198" }, { "category": "external", "summary": "RHBZ#1989575", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989575" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33198", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33198" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI", "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" } ], "release_date": "2021-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents" }, { "cve": "CVE-2021-34558", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-07-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1983596" } ], "notes": [ { "category": "description", "text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic", "title": "Vulnerability summary" }, { "category": "other", "text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-34558" }, { "category": "external", "summary": "RHBZ#1983596", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34558" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558" }, { "category": "external", "summary": "https://golang.org/doc/devel/release#go1.15.minor", "url": "https://golang.org/doc/devel/release#go1.15.minor" }, { "category": "external", "summary": "https://golang.org/doc/devel/release#go1.16.minor", "url": "https://golang.org/doc/devel/release#go1.16.minor" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999731" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on directories. This flaw allows an untrusted tar file to extract and overwrite files into an arbitrary location. A similar confusion can arise on case-insensitive filesystems. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37701" }, { "category": "external", "summary": "RHBZ#1999731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37701", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37701" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1779", "url": "https://www.npmjs.com/advisories/1779" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-08-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1999739" } ], "notes": [ { "category": "description", "text": "A flaw was found in the npm package \"tar\" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux version 8 and Red Hat Software Collection both embed `node-tar` in the npm command. However, npm explicitly prevents the extraction of symlink via a filter. npm might still be affected via node-gyp, if the attacker is able to control the target URL.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37712" }, { "category": "external", "summary": "RHBZ#1999739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37712", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37712" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "category": "external", "summary": "https://www.npmjs.com/advisories/1780", "url": "https://www.npmjs.com/advisories/1780" } ], "release_date": "2021-08-31T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-13T19:26:22+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5086" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:6bb536ff91903016dcce91fcf6df30286321b7a415bcca68d22ca0a283406745_s390x", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:7c3beaacde875028141485219de5c780c3c30b146bcc533dfe1eb6c562a65b95_amd64", "8Base-RH-ODF-4.9:odf4/cephcsi-rhel8@sha256:f3b19e5732308b4d40f1b605169ac3f15a03194cb4dd47819ef073f36a0d1849_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:38d08ac83d988cda406d8cc6c2209ece706e125da07e202996f606c22c914349_s390x", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b0211a2fdad8d5e6fdefeece952aa9c51598b74d74a12d5adec4bed4e2783b2d_amd64", "8Base-RH-ODF-4.9:odf4/ocs-must-gather-rhel8@sha256:b1b008efb550c5fce0797378d96bb191a0c28aa15e813d759786e663fabb0274_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:19baeee4a9db7519f1b88a885034be1e35423f34854323ac4a1b0e88e881bc3f_amd64", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:7507787d2c8f920c718c15b93e9c24f7edf8047a24c7c0c2024d70915d7ff1d2_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-operator-bundle@sha256:af844ee09da74a2bf95779de502b683982cfb54227f196f24ef07221af5ec9d8_s390x", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:1fe31ad232d5ffc1eb202db0f83eb882eeca1bde83ba282fe412485c5b2bc479_amd64", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:355c50572c534973734eaeb171375bae9e0342504942b28585f5498829ae8aeb_ppc64le", "8Base-RH-ODF-4.9:odf4/ocs-rhel8-operator@sha256:b02b6d2cd44672787e0fa5569074c4a8cdcc6fde0206fe01ef6d9d70a6385d0c_s390x", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:02777f2cd36c40d5c09a28116e24c1c7a8ee0c6030d680281e042d08e1fd61f6_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:71724ee7baa629a98b4bf979e232dd128a313a2fa1eb4156c5b69593c99ec181_amd64", "8Base-RH-ODF-4.9:odf4/odf-console-rhel8@sha256:fd1659e10e099871d6a956bb26c3c17ed9a9bccc5ed90768514be8b0dcc34ff3_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:5a3e1458b856d295ba8fa9d075845d2524c6130d60db07b85cce99f5719a014f_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:b66338b35316b95d01fc30a207fd80227c2cb0cbc06ee516230dbb4e2c2e369e_s390x", "8Base-RH-ODF-4.9:odf4/odf-multicluster-operator-bundle@sha256:ee9641382dcfccd9db92c66bab549c0b44a218572e40011c2e22b651d4ff64af_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:17be1d705d7339f6e5f10d77c065c7a876c248c0913f625754443e58279c5039_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:446de9c6969efa219fd09aca97e8f1d34a18aa5a1553cad93ea03d1c99d75e9d_amd64", "8Base-RH-ODF-4.9:odf4/odf-multicluster-rhel8-operator@sha256:80c5ca69a4a153fe862d2edc12910131b9edaf3dd4ad544c2a30d1e363bf4bdb_s390x", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:2231fc5ebf70c6165947bdc31f95b6deaa69f1efbd6c6194b457e2ad7bb10948_amd64", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:5d47bf5c8aaadc387d2bde705cfc3238436bd29547139e6ce82bb3c9512da7f4_ppc64le", "8Base-RH-ODF-4.9:odf4/odf-operator-bundle@sha256:f51b12d4d34949b0932386e26af1c33db240d95a3e20b0ccdb469e4596124220_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:43679e013dacc86f5d181455fd533bc32a1d1b48e8cd2b0a88905c941127c09e_s390x", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:bbfcc2e62edb26b19578242800bf654cd74efbb33ff81273d62e207deff15c13_amd64", "8Base-RH-ODF-4.9:odf4/odf-rhel8-operator@sha256:ec0bd017c0ee777a3347c5fa83417fbb9f7d9e69fed7d6091b2e9a87dbaa9bff_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:5154833553993db3075424d9d0799548b0031123811832004d876c307becd6c7_s390x", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:95f7e6d4b0bfbbebd6f88b6a38e44e617d43bb2c10d473faa581fc235bdb7048_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-cluster-operator-bundle@sha256:f936b221644cebeea79a937c03261911fd2cc2181adcfc9381b2bd3890bb00d5_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:088270d599e6b65a321c2267057c655acad9e7df8baf2066c6da128d85479a16_amd64", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:0cfd5566150cd039abf04aaaa52cb95e86bc2e1044c64a58c4a5cd372f415c94_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-hub-operator-bundle@sha256:972d770ad4d54dd8663a715b81112c84ebf29ef4724190ffb440608c5fb665db_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:49df4d5554221b8aea998b9e06a24c01735d17c488aee4cbaf084bc0fedc5fcb_ppc64le", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:d9485425d2ce02a7279f7fb8e857f070f0fec7753f1219824e5988a5f14023e1_s390x", "8Base-RH-ODF-4.9:odf4/odr-rhel8-operator@sha256:ed5f3964c9c2e4e9e1da1b5759f7abbdc8f7139ee3d3c7984aca2491bde23b2d_amd64", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:0108cf6fabd19895a2be1b0a7cf0a33892a720d2b480b97e689100973f3d08ab_ppc64le", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:063bf4439fe8f803a21bc3c30e7afc8d9cfa7959a4635223ad176a1d9d1083b3_s390x", "8Base-RH-ODF-4.9:odf4/rook-ceph-rhel8-operator@sha256:edcab10440eebf3ea2732e1d345de9da8e598d3871e4ebf13d8b9cde7186f0b4_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:4fdaa73a9dc52c03407b845759f5bfa42289cbfcc62f23a000e1200399ff1336_amd64", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:536340adaaa6ff74a0305cc350b85d92fdfc36c30012d7875c7527c672b14ebe_s390x", "8Base-RH-ODF-4.9:odf4/volume-replication-rhel8-operator@sha256:62e9c97030fc7ab33e36f2d76f9a566f015498c80ab0b8a6e9b5b02ab6895927_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite" } ] }
ghsa-9r2w-394v-53qc
Vulnerability from github
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar
aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \
and /
characters as path separators, however \
is a valid filename character on posix systems.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.
Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO
, followed by a symbolic link named foo
, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO
directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.
These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.
The v3 branch of node-tar
has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar
. If this is not possible, a workaround is available below.
Patches
4.4.16 || 5.0.8 || 6.1.7
Workarounds
Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.
```js const tar = require('tar')
tar.x({ file: 'archive.tgz', filter: (file, entry) => { if (entry.type === 'SymbolicLink') { return false } else { return true } } }) ```
Users are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.
Fix
The problem is addressed in the following ways:
- All paths are normalized to use
/
as a path separator, replacing\
with/
on Windows systems, and leaving\
intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed. - Directory cache pruning is performed case-insensitively. This may result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.
Caveat
Note that this means that the entry
objects exposed in various parts of tar's API will now always use /
as a path separator, even on Windows systems. This is not expected to cause problems, as /
is a valid path separator on Windows systems, but may result in issues if entry.path
is compared against a path string coming from some other API such as fs.realpath()
or path.resolve()
.
Users are encouraged to always normalize paths using a well-tested method such as path.resolve()
before comparing paths to one another.
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "(tar).Unpack" ] }, "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "4.4.16" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(tar).Unpack" ] }, "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.8" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "affected_functions": [ "(tar).Unpack" ] }, "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "6.1.7" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-37701" ], "database_specific": { "cwe_ids": [ "CWE-22", "CWE-59" ], "github_reviewed": true, "github_reviewed_at": "2021-08-31T16:01:50Z", "nvd_published_at": "2021-08-31T17:15:00Z", "severity": "HIGH" }, "details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require(\u0027tar\u0027)\n\ntar.x({\n file: \u0027archive.tgz\u0027,\n filter: (file, entry) =\u003e {\n if (entry.type === \u0027SymbolicLink\u0027) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar\u0027s API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.", "id": "GHSA-9r2w-394v-53qc", "modified": "2021-08-31T16:01:50Z", "published": "2021-08-31T16:05:27Z", "references": [ { "type": "WEB", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "type": "PACKAGE", "url": "https://github.com/npm/node-tar" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5008" }, { "type": "WEB", "url": "https://www.npmjs.com/package/tar" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links" }
ICSA-22-069-09
Vulnerability from csaf_cisa
Notes
{ "document": { "acknowledgments": [ { "organization": "Siemens", "summary": "reporting this vulnerability to CISA" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "summary", "text": "Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.", "title": "Risk evaluation" }, { "category": "other", "text": "Energy", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Germany", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "other", "text": "No known public exploits specifically target this vulnerability.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-389290.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-069-09 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-069-09.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-069-09 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" }, { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - PDF Version", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - TXT Version", "url": "https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt" } ], "title": "Siemens SINEC INS", "tracking": { "current_release_date": "2022-03-10T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1.0.0" } }, "id": "ICSA-22-069-09", "initial_release_date": "2022-03-10T00:00:00.000000Z", "revision_history": [ { "date": "2022-03-10T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-22-069-09 Siemens SINEC INS" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c V1.0.1.1", "product": { "name": "SINEC INS", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "SINEC INS" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-19242", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles pExpr-\u003ey.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19242 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19242 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19242.json" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19242" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19244" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19317" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19603" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19646" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19923" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19924" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19925" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8625" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9327" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11655" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11656" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13630" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13631" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13871" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15358" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22883" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22884" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22918" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22921" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22930" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22931" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22939" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22940" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25214" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25215" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25216" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25219" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39134" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39135" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19242" }, { "cve": "CVE-2019-19244", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19244 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19244 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19244.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19244" }, { "cve": "CVE-2019-19317", "cwe": { "id": "CWE-681", "name": "Incorrect Conversion between Numeric Types" }, "notes": [ { "category": "summary", "text": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19317 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19317 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19317.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19317" }, { "cve": "CVE-2019-19603", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19603 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19603 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19603.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19603" }, { "cve": "CVE-2019-19645", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19645 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19645 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19645.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19645" }, { "cve": "CVE-2019-19646", "cwe": { "id": "CWE-754", "name": "Improper Check for Unusual or Exceptional Conditions" }, "notes": [ { "category": "summary", "text": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19646 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19646 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19646.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19646" }, { "cve": "CVE-2019-19880", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19880 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19880 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19880.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19880" }, { "cve": "CVE-2019-19923", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19923 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19923 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19923.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19923" }, { "cve": "CVE-2019-19924", "cwe": { "id": "CWE-755", "name": "Improper Handling of Exceptional Conditions" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19924 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19924 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19924.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19924" }, { "cve": "CVE-2019-19925", "cwe": { "id": "CWE-434", "name": "Unrestricted Upload of File with Dangerous Type" }, "notes": [ { "category": "summary", "text": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19925 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19925 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19925.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19925" }, { "cve": "CVE-2019-19926", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19926 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19926 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19926.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19926" }, { "cve": "CVE-2020-1971", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL\u0027s s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL\u0027s parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-1971 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-1971 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-1971.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-1971" }, { "cve": "CVE-2020-7774", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "notes": [ { "category": "summary", "text": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require(\u0027y18n\u0027)(); y18n.setLocale(\u0027PROTO\u0027); y18n.updateLocale({polluted: true}); console.log(polluted); // true", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-7774 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-7774 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-7774.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-7774" }, { "cve": "CVE-2020-8169", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The libcurl library versions 7.62.0 to and including 7.70.0 are vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8169 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8169 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8169.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8169" }, { "cve": "CVE-2020-8177", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)" }, "notes": [ { "category": "summary", "text": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8177 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8177 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8177.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8177" }, { "cve": "CVE-2020-8231", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8231 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8231 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8231.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8231" }, { "cve": "CVE-2020-8265", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8265 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8265 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8265.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8265" }, { "cve": "CVE-2020-8284", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8284 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8284 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8284.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8284" }, { "cve": "CVE-2020-8285", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8285 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8285 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8285.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8285" }, { "cve": "CVE-2020-8286", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "The libcurl library versions 7.41.0 to and including 7.73.0 are vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. This vulnerability could allow an attacker to pass a revoked certificate as valid.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8286 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8286 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8286.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8286" }, { "cve": "CVE-2020-8287", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "notes": [ { "category": "summary", "text": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8287 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8287 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8287.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8287" }, { "cve": "CVE-2020-8625", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "notes": [ { "category": "summary", "text": "BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -\u003e 9.11.27, 9.12.0 -\u003e 9.16.11, and versions BIND 9.11.3-S1 -\u003e 9.11.27-S1 and 9.16.8-S1 -\u003e 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8625 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8625 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8625.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8625" }, { "cve": "CVE-2020-9327", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-9327 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-9327 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-9327.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-9327" }, { "cve": "CVE-2020-11655", "cwe": { "id": "CWE-665", "name": "Improper Initialization" }, "notes": [ { "category": "summary", "text": "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object\u0027s initialization is mishandled.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-11655 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-11655 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-11655.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-11655" }, { "cve": "CVE-2020-11656", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-11656 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-11656 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-11656.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-11656" }, { "cve": "CVE-2020-13630", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13630 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13630 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13630.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13630" }, { "cve": "CVE-2020-13631", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13631 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13631 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13631.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13631" }, { "cve": "CVE-2020-13632", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13632 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13632 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13632.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13632" }, { "cve": "CVE-2020-13871", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13871 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13871 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13871.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13871" }, { "cve": "CVE-2020-15358", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-15358 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-15358 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-15358.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-15358" }, { "cve": "CVE-2020-27304", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-27304 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-27304 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-27304.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-27304" }, { "cve": "CVE-2021-3449", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3449 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3449 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3449.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3450 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3450 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3450.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3672", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3672 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3672 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3672.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3672" }, { "cve": "CVE-2021-3711", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "notes": [ { "category": "summary", "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3711 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3711 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3711.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL\u0027s own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3712 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3712 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3712.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3712" }, { "cve": "CVE-2021-22876", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22876 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22876 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22876.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22876" }, { "cve": "CVE-2021-22883", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an \u0027unknownProtocol\u0027 are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22883 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22883 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22883.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22883" }, { "cve": "CVE-2021-22884", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes \u201clocalhost6\u201d. When \u201clocalhost6\u201d is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim\u0027s DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the \u201clocalhost6\u201d domain. As long as the attacker uses the \u201clocalhost6\u201d domain, they can still apply the attack described in CVE-2018-7160.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22884 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22884 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22884.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22884" }, { "cve": "CVE-2021-22890", "cwe": { "id": "CWE-290", "name": "Authentication Bypass by Spoofing" }, "notes": [ { "category": "summary", "text": "curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22890 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22890 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22890.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22890" }, { "cve": "CVE-2021-22897", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22897 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22897 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22897.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22897" }, { "cve": "CVE-2021-22898", "cwe": { "id": "CWE-909", "name": "Missing Initialization of Resource" }, "notes": [ { "category": "summary", "text": "curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22898 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22898 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22898.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22898" }, { "cve": "CVE-2021-22901", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22901 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22901 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22901.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22901" }, { "cve": "CVE-2021-22918", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22918 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22918 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22918.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22918" }, { "cve": "CVE-2021-22921", "cwe": { "id": "CWE-732", "name": "Incorrect Permission Assignment for Critical Resource" }, "notes": [ { "category": "summary", "text": "Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22921 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22921 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22921.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22921" }, { "cve": "CVE-2021-22922", "cwe": { "id": "CWE-354", "name": "Improper Validation of Integrity Check Value" }, "notes": [ { "category": "summary", "text": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22922 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22922 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22922.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22922" }, { "cve": "CVE-2021-22923", "cwe": { "id": "CWE-522", "name": "Insufficiently Protected Credentials" }, "notes": [ { "category": "summary", "text": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\u0027s expectations and intentions and without telling the user it happened.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22923 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22923 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22923.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22923" }, { "cve": "CVE-2021-22924", "cwe": { "id": "CWE-706", "name": "Use of Incorrectly-Resolved Name or Reference" }, "notes": [ { "category": "summary", "text": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take \u0027issuercert\u0027 into account and it compared the involved paths _case insensitively_,which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn\u0027t include the \u0027issuer cert\u0027 which a transfer can set to qualify how to verify the server certificate.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22924 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22924 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22924.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22924" }, { "cve": "CVE-2021-22925", "cwe": { "id": "CWE-908", "name": "Use of Uninitialized Resource" }, "notes": [ { "category": "summary", "text": "curl supports the -t command line option, known as CURLOPT_TELNETOPTIONSin libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending NEW_ENV variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22925 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22925 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22925.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22925" }, { "cve": "CVE-2021-22926", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPT_SSLCERT option (--cert with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like /tmp), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22926 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22926 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22926.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22926" }, { "cve": "CVE-2021-22930", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22930 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22930 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22930.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22930" }, { "cve": "CVE-2021-22931", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22931 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22931 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22931.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22931" }, { "cve": "CVE-2021-22939", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22939 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22939 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22939.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22939" }, { "cve": "CVE-2021-22940", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22940 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22940 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22940.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22940" }, { "cve": "CVE-2021-22945", "cwe": { "id": "CWE-415", "name": "Double Free" }, "notes": [ { "category": "summary", "text": "When sending data to an MQTT server, libcurl \u003c= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it _again_.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22945 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22945 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22945.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22945" }, { "cve": "CVE-2021-22946", "cwe": { "id": "CWE-319", "name": "Cleartext Transmission of Sensitive Information" }, "notes": [ { "category": "summary", "text": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations WITHOUTTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22946 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22946 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22946.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22946" }, { "cve": "CVE-2021-22947", "cwe": { "id": "CWE-345", "name": "Insufficient Verification of Data Authenticity" }, "notes": [ { "category": "summary", "text": "When curl \u003e= 7.20.0 and \u003c= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got _before_ the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker\u0027s injected data comes from the TLS-protected server.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22947 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22947 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22947.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22947" }, { "cve": "CVE-2021-23362", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-23362 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-23362 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-23362.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-23362" }, { "cve": "CVE-2021-23840", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "summary", "text": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-23840 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-23840 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-23840.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-23840" }, { "cve": "CVE-2021-25214", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.8.5 -\u003e 9.8.8, 9.9.3 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.9.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25214 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25214 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25214.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25215", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.0.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.9.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25215 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25215 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25215.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25215" }, { "cve": "CVE-2021-25216", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25216 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25216 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25216.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25216" }, { "cve": "CVE-2021-25219", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In BIND 9.3.0 -\u003e 9.11.35, 9.12.0 -\u003e 9.16.21, and versions 9.9.3-S1 -\u003e 9.11.35-S1 and 9.16.8-S1 -\u003e 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25219 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25219 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25219.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25219" }, { "cve": "CVE-2021-27290", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-27290 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-27290 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-27290.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-27290" }, { "cve": "CVE-2021-32803", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-32803 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-32803 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-32803.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-32804 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-32804 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-32804.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-32804" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \\ and / characters as path separators, however \\ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37701 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37701 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37701.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37712 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37712 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37712.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\\path. If the drive letter does not match the extraction target, for example D:\\extraction\\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37713 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37713 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37713.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37713" }, { "cve": "CVE-2021-39134", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "summary", "text": "@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist\u0027s internal data structure saw them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package pwn-a could define a dependency in their package.json file such as \"foo\": \"file:/some/path\". Another package, pwn-b could define a dependency such as FOO: \"file:foo.tgz\". On case-insensitive file systems, if pwn-a was installed, and then pwn-b was installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-39134 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-39134 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-39134.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-39134" }, { "cve": "CVE-2021-39135", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "summary", "text": "@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project\u0027s node_modules folder. If the node_modules folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a node_modules symbolic link would have to be employed. 1. A preinstall script could replace node_modules with a symlink. (This is prevented by using --ignore-scripts.) 2. An attacker could supply the target with a git repository, instructing them to run npm install --ignore-scripts in the root. This may be successful, because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-39135 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-39135 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-39135.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-39135" } ] }
icsa-22-069-09
Vulnerability from csaf_cisa
Notes
{ "document": { "acknowledgments": [ { "organization": "Siemens", "summary": "reporting this vulnerability to CISA" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "summary", "text": "Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.", "title": "Risk evaluation" }, { "category": "other", "text": "Energy", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Germany", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "other", "text": "No known public exploits specifically target this vulnerability.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-389290.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-069-09 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-069-09.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-069-09 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-09" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" }, { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - PDF Version", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "category": "external", "summary": "SSA-389290: Third-Party Component Vulnerabilities in SINEC INS - TXT Version", "url": "https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt" } ], "title": "Siemens SINEC INS", "tracking": { "current_release_date": "2022-03-10T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1.0.0" } }, "id": "ICSA-22-069-09", "initial_release_date": "2022-03-10T00:00:00.000000Z", "revision_history": [ { "date": "2022-03-10T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-22-069-09 Siemens SINEC INS" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c V1.0.1.1", "product": { "name": "SINEC INS", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "SINEC INS" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-19242", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles pExpr-\u003ey.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19242 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19242 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19242.json" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19242" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19244" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19317" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19603" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19646" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19923" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19924" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19925" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8287" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8625" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9327" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11655" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11656" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13630" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13631" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13871" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15358" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3450" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3711" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22883" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22884" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22918" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22921" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22930" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22931" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22939" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22940" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25214" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25215" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25216" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25219" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39134" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39135" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19242" }, { "cve": "CVE-2019-19244", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19244 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19244 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19244.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19244" }, { "cve": "CVE-2019-19317", "cwe": { "id": "CWE-681", "name": "Incorrect Conversion between Numeric Types" }, "notes": [ { "category": "summary", "text": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19317 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19317 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19317.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19317" }, { "cve": "CVE-2019-19603", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19603 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19603 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19603.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19603" }, { "cve": "CVE-2019-19645", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19645 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19645 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19645.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19645" }, { "cve": "CVE-2019-19646", "cwe": { "id": "CWE-754", "name": "Improper Check for Unusual or Exceptional Conditions" }, "notes": [ { "category": "summary", "text": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19646 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19646 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19646.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19646" }, { "cve": "CVE-2019-19880", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19880 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19880 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19880.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19880" }, { "cve": "CVE-2019-19923", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19923 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19923 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19923.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19923" }, { "cve": "CVE-2019-19924", "cwe": { "id": "CWE-755", "name": "Improper Handling of Exceptional Conditions" }, "notes": [ { "category": "summary", "text": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19924 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19924 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19924.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19924" }, { "cve": "CVE-2019-19925", "cwe": { "id": "CWE-434", "name": "Unrestricted Upload of File with Dangerous Type" }, "notes": [ { "category": "summary", "text": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19925 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19925 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19925.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19925" }, { "cve": "CVE-2019-19926", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2019-19926 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2019-19926 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2019-19926.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2019-19926" }, { "cve": "CVE-2020-1971", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL\u0027s s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL\u0027s parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-1971 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-1971 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-1971.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-1971" }, { "cve": "CVE-2020-7774", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "notes": [ { "category": "summary", "text": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require(\u0027y18n\u0027)(); y18n.setLocale(\u0027PROTO\u0027); y18n.updateLocale({polluted: true}); console.log(polluted); // true", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-7774 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-7774 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-7774.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-7774" }, { "cve": "CVE-2020-8169", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "The libcurl library versions 7.62.0 to and including 7.70.0 are vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8169 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8169 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8169.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8169" }, { "cve": "CVE-2020-8177", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)" }, "notes": [ { "category": "summary", "text": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8177 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8177 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8177.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8177" }, { "cve": "CVE-2020-8231", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8231 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8231 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8231.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8231" }, { "cve": "CVE-2020-8265", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8265 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8265 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8265.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8265" }, { "cve": "CVE-2020-8284", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8284 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8284 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8284.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8284" }, { "cve": "CVE-2020-8285", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "summary", "text": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8285 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8285 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8285.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8285" }, { "cve": "CVE-2020-8286", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "The libcurl library versions 7.41.0 to and including 7.73.0 are vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. This vulnerability could allow an attacker to pass a revoked certificate as valid.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8286 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8286 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8286.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8286" }, { "cve": "CVE-2020-8287", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "notes": [ { "category": "summary", "text": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8287 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8287 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8287.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8287" }, { "cve": "CVE-2020-8625", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "notes": [ { "category": "summary", "text": "BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -\u003e 9.11.27, 9.12.0 -\u003e 9.16.11, and versions BIND 9.11.3-S1 -\u003e 9.11.27-S1 and 9.16.8-S1 -\u003e 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-8625 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-8625 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-8625.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-8625" }, { "cve": "CVE-2020-9327", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-9327 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-9327 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-9327.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-9327" }, { "cve": "CVE-2020-11655", "cwe": { "id": "CWE-665", "name": "Improper Initialization" }, "notes": [ { "category": "summary", "text": "SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object\u0027s initialization is mishandled.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-11655 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-11655 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-11655.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-11655" }, { "cve": "CVE-2020-11656", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-11656 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-11656 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-11656.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-11656" }, { "cve": "CVE-2020-13630", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13630 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13630 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13630.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13630" }, { "cve": "CVE-2020-13631", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13631 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13631 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13631.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13631" }, { "cve": "CVE-2020-13632", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13632 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13632 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13632.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13632" }, { "cve": "CVE-2020-13871", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-13871 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-13871 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-13871.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-13871" }, { "cve": "CVE-2020-15358", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "summary", "text": "In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-15358 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-15358 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-15358.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-15358" }, { "cve": "CVE-2020-27304", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2020-27304 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2020-27304 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2020-27304.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2020-27304" }, { "cve": "CVE-2021-3449", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "summary", "text": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3449 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3449 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3449.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3450 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3450 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3450.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3672", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "notes": [ { "category": "summary", "text": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3672 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3672 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3672.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3672" }, { "cve": "CVE-2021-3711", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" }, "notes": [ { "category": "summary", "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3711 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3711 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3711.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL\u0027s own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-3712 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-3712 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-3712.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-3712" }, { "cve": "CVE-2021-22876", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "summary", "text": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22876 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22876 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22876.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22876" }, { "cve": "CVE-2021-22883", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an \u0027unknownProtocol\u0027 are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22883 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22883 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22883.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22883" }, { "cve": "CVE-2021-22884", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes \u201clocalhost6\u201d. When \u201clocalhost6\u201d is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim\u0027s DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the \u201clocalhost6\u201d domain. As long as the attacker uses the \u201clocalhost6\u201d domain, they can still apply the attack described in CVE-2018-7160.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22884 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22884 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22884.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22884" }, { "cve": "CVE-2021-22890", "cwe": { "id": "CWE-290", "name": "Authentication Bypass by Spoofing" }, "notes": [ { "category": "summary", "text": "curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22890 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22890 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22890.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22890" }, { "cve": "CVE-2021-22897", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "notes": [ { "category": "summary", "text": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22897 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22897 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22897.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22897" }, { "cve": "CVE-2021-22898", "cwe": { "id": "CWE-909", "name": "Missing Initialization of Resource" }, "notes": [ { "category": "summary", "text": "curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22898 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22898 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22898.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22898" }, { "cve": "CVE-2021-22901", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22901 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22901 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22901.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22901" }, { "cve": "CVE-2021-22918", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22918 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22918 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22918.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22918" }, { "cve": "CVE-2021-22921", "cwe": { "id": "CWE-732", "name": "Incorrect Permission Assignment for Critical Resource" }, "notes": [ { "category": "summary", "text": "Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22921 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22921 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22921.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22921" }, { "cve": "CVE-2021-22922", "cwe": { "id": "CWE-354", "name": "Improper Validation of Integrity Check Value" }, "notes": [ { "category": "summary", "text": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22922 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22922 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22922.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22922" }, { "cve": "CVE-2021-22923", "cwe": { "id": "CWE-522", "name": "Insufficiently Protected Credentials" }, "notes": [ { "category": "summary", "text": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\u0027s expectations and intentions and without telling the user it happened.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22923 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22923 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22923.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22923" }, { "cve": "CVE-2021-22924", "cwe": { "id": "CWE-706", "name": "Use of Incorrectly-Resolved Name or Reference" }, "notes": [ { "category": "summary", "text": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take \u0027issuercert\u0027 into account and it compared the involved paths _case insensitively_,which could lead to libcurl reusing wrong connections. File paths are, or can be, case sensitive on many systems but not all, and can even vary depending on used file systems. The comparison also didn\u0027t include the \u0027issuer cert\u0027 which a transfer can set to qualify how to verify the server certificate.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22924 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22924 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22924.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22924" }, { "cve": "CVE-2021-22925", "cwe": { "id": "CWE-908", "name": "Use of Uninitialized Resource" }, "notes": [ { "category": "summary", "text": "curl supports the -t command line option, known as CURLOPT_TELNETOPTIONSin libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending NEW_ENV variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22925 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22925 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22925.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22925" }, { "cve": "CVE-2021-22926", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPT_SSLCERT option (--cert with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like /tmp), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22926 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22926 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22926.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22926" }, { "cve": "CVE-2021-22930", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22930 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22930 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22930.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22930" }, { "cve": "CVE-2021-22931", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22931 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22931 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22931.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22931" }, { "cve": "CVE-2021-22939", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "summary", "text": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22939 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22939 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22939.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22939" }, { "cve": "CVE-2021-22940", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22940 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22940 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22940.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22940" }, { "cve": "CVE-2021-22945", "cwe": { "id": "CWE-415", "name": "Double Free" }, "notes": [ { "category": "summary", "text": "When sending data to an MQTT server, libcurl \u003c= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it _again_.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22945 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22945 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22945.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22945" }, { "cve": "CVE-2021-22946", "cwe": { "id": "CWE-319", "name": "Cleartext Transmission of Sensitive Information" }, "notes": [ { "category": "summary", "text": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations WITHOUTTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22946 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22946 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22946.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22946" }, { "cve": "CVE-2021-22947", "cwe": { "id": "CWE-345", "name": "Insufficient Verification of Data Authenticity" }, "notes": [ { "category": "summary", "text": "When curl \u003e= 7.20.0 and \u003c= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got _before_ the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker\u0027s injected data comes from the TLS-protected server.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-22947 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-22947 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-22947.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-22947" }, { "cve": "CVE-2021-23362", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-23362 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-23362 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-23362.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-23362" }, { "cve": "CVE-2021-23840", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "summary", "text": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-23840 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-23840 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-23840.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-23840" }, { "cve": "CVE-2021-25214", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.8.5 -\u003e 9.8.8, 9.9.3 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.9.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25214 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25214 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25214.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25215", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.0.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.9.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25215 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25215 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25215.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25215" }, { "cve": "CVE-2021-25216", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "summary", "text": "In BIND 9.5.0 -\u003e 9.11.29, 9.12.0 -\u003e 9.16.13, and versions BIND 9.11.3-S1 -\u003e 9.11.29-S1 and 9.16.8-S1 -\u003e 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND\u0027s default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25216 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25216 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25216.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25216" }, { "cve": "CVE-2021-25219", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "In BIND 9.3.0 -\u003e 9.11.35, 9.12.0 -\u003e 9.16.21, and versions 9.9.3-S1 -\u003e 9.11.35-S1 and 9.16.8-S1 -\u003e 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-25219 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-25219 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-25219.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-25219" }, { "cve": "CVE-2021-27290", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-27290 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-27290 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-27290.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-27290" }, { "cve": "CVE-2021-32803", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-32803 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-32803 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-32803.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-32803" }, { "cve": "CVE-2021-32804", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-32804 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-32804 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-32804.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-32804" }, { "cve": "CVE-2021-37701", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \\ and / characters as path separators, however \\ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37701 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37701 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37701.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37701" }, { "cve": "CVE-2021-37712", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37712 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37712 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37712.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37712" }, { "cve": "CVE-2021-37713", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\\path. If the drive letter does not match the extraction target, for example D:\\extraction\\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-37713 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-37713 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-37713.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-37713" }, { "cve": "CVE-2021-39134", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "summary", "text": "@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist\u0027s internal data structure saw them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package pwn-a could define a dependency in their package.json file such as \"foo\": \"file:/some/path\". Another package, pwn-b could define a dependency such as FOO: \"file:foo.tgz\". On case-insensitive file systems, if pwn-a was installed, and then pwn-b was installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-39134 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-39134 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-39134.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-39134" }, { "cve": "CVE-2021-39135", "cwe": { "id": "CWE-61", "name": "UNIX Symbolic Link (Symlink) Following" }, "notes": [ { "category": "summary", "text": "@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project\u0027s node_modules folder. If the node_modules folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a node_modules symbolic link would have to be employed. 1. A preinstall script could replace node_modules with a symlink. (This is prevented by using --ignore-scripts.) 2. An attacker could supply the target with a git repository, instructing them to run npm install --ignore-scripts in the root. This may be successful, because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "summary": "CVE-2021-39135 - SINEC INS", "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "summary": "CVE-2021-39135 Mitre 5.0 json", "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-39135.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Update to V1.0.1.1 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109806100/" }, { "category": "mitigation", "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2021-39135" } ] }
gsd-2021-37701
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2021-37701", "description": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "id": "GSD-2021-37701", "references": [ "https://www.suse.com/security/cve/CVE-2021-37701.html", "https://www.debian.org/security/2021/dsa-5008", "https://access.redhat.com/errata/RHSA-2022:0350", "https://access.redhat.com/errata/RHSA-2022:0246", "https://access.redhat.com/errata/RHSA-2022:0041", "https://access.redhat.com/errata/RHSA-2021:5086", "https://advisories.mageia.org/CVE-2021-37701.html", "https://security.archlinux.org/CVE-2021-37701", "https://linux.oracle.com/cve/CVE-2021-37701.html", "https://access.redhat.com/errata/RHSA-2022:4914", "https://access.redhat.com/errata/RHEA-2022:4925", "https://access.redhat.com/errata/RHEA-2022:5139", "https://access.redhat.com/errata/RHEA-2022:5221", "https://access.redhat.com/errata/RHEA-2022:5615" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-37701" ], "details": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "id": "GSD-2021-37701", "modified": "2023-12-13T01:23:09.453479Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37701", "STATE": "PUBLIC", "TITLE": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "node-tar", "version": { "version_data": [ { "version_value": "\u003c 4.4.16" }, { "version_value": "\u003e= 5.0.0, \u003c 5.0.8" }, { "version_value": "\u003e= 6.0.0, \u003c 6.1.7" } ] } } ] }, "vendor_name": "npm" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } ] }, { "description": [ { "lang": "eng", "value": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.npmjs.com/package/tar", "refsource": "MISC", "url": "https://www.npmjs.com/package/tar" }, { "name": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "refsource": "CONFIRM", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "DSA-5008", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5008" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "name": "[debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" } ] }, "source": { "advisory": "GHSA-9r2w-394v-53qc", "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c4.4.16||\u003e=5.0.0 \u003c5.0.8||\u003e=6.0.0 \u003c6.1.7", "affected_versions": "All versions before 4.4.16, all versions starting from 5.0.0 before 5.0.8, all versions starting from 6.0.0 before 6.1.7", "cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-22", "CWE-937" ], "date": "2023-01-19", "description": "This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.", "fixed_versions": [ "4.4.16", "5.0.8", "6.1.7" ], "identifier": "CVE-2021-37701", "identifiers": [ "CVE-2021-37701", "GHSA-9r2w-394v-53qc" ], "not_impacted": "All versions starting from 4.4.16 before 5.0.0, all versions starting from 5.0.8 before 6.0.0, all versions starting from 6.1.7", "package_slug": "npm/tar", "pubdate": "2021-08-31", "solution": "Upgrade to versions 4.4.16, 5.0.8, 6.1.7 or above.", "title": "Path Traversal", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" ], "uuid": "185c334e-acea-4786-8dbb-84d39f9e6144" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "4.4.16", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "5.0.8", "versionStartIncluding": "5.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:npmjs:tar:*:*:*:*:*:node.js:*:*", "cpe_name": [], "versionEndExcluding": "6.1.7", "versionStartIncluding": "6.0.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "1.0.1.1", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37701" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-22" }, { "lang": "en", "value": "CWE-59" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "refsource": "CONFIRM", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "name": "https://www.npmjs.com/package/tar", "refsource": "MISC", "tags": [ "Product", "Third Party Advisory" ], "url": "https://www.npmjs.com/package/tar" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "DSA-5008", "refsource": "DEBIAN", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2021/dsa-5008" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "name": "[debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.8, "impactScore": 6.0 } }, "lastModifiedDate": "2023-01-19T20:11Z", "publishedDate": "2021-08-31T17:15Z" } } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.