Action not permitted
Modal body text goes here.
cve-2021-3801
Vulnerability from cvelistv5
Published
2021-09-15 12:40
Modified
2024-08-03 17:09
Severity
Summary
Inefficient Regular Expression Complexity in prismjs/prism
References
| Source | URL | Tags |
|---|---|---|
| security@huntr.dev | https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 | Patch, Third Party Advisory |
| security@huntr.dev | https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product |
|---|---|
| prismjs | prismjs/prism |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prismjs/prism",
"vendor": "prismjs",
"versions": [
{
"lessThanOrEqual": "1.24.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "prism is vulnerable to Inefficient Regular Expression Complexity"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T12:40:11",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
}
],
"source": {
"advisory": "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"discovery": "EXTERNAL"
},
"title": "Inefficient Regular Expression Complexity in prismjs/prism",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3801",
"STATE": "PUBLIC",
"TITLE": "Inefficient Regular Expression Complexity in prismjs/prism"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prismjs/prism",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.24.1"
}
]
}
}
]
},
"vendor_name": "prismjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prism is vulnerable to Inefficient Regular Expression Complexity"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
},
{
"name": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9",
"refsource": "MISC",
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
}
]
},
"source": {
"advisory": "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3801",
"datePublished": "2021-09-15T12:40:11",
"dateReserved": "2021-09-14T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-3801\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2021-09-15T13:15:08.360\",\"lastModified\":\"2022-07-29T16:52:57.513\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"prism is vulnerable to Inefficient Regular Expression Complexity\"},{\"lang\":\"es\",\"value\":\"prism es vulnerable a una Complejidad de Expresi\u00f3n Regular Ineficiente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":4.3},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]},{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.25.0\",\"matchCriteriaId\":\"266D072D-BFAD-4ACC-9ADA-91B03CA5EDA8\"}]}]}],\"references\":[{\"url\":\"https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
gsd-2021-3801
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
prism is vulnerable to Inefficient Regular Expression Complexity
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-3801",
"description": "prism is vulnerable to Inefficient Regular Expression Complexity",
"id": "GSD-2021-3801",
"references": [
"https://access.redhat.com/errata/RHSA-2021:4902"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-3801"
],
"details": "prism is vulnerable to Inefficient Regular Expression Complexity",
"id": "GSD-2021-3801",
"modified": "2023-12-13T01:23:34.240580Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3801",
"STATE": "PUBLIC",
"TITLE": "Inefficient Regular Expression Complexity in prismjs/prism"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prismjs/prism",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.24.1"
}
]
}
}
]
},
"vendor_name": "prismjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prism is vulnerable to Inefficient Regular Expression Complexity"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
},
{
"name": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9",
"refsource": "MISC",
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
}
]
},
"source": {
"advisory": "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"discovery": "EXTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.25.0",
"affected_versions": "All versions before 1.25.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-07-29",
"description": "prism is vulnerable to Inefficient Regular Expression Complexity",
"fixed_versions": [
"1.25.0"
],
"identifier": "CVE-2021-3801",
"identifiers": [
"CVE-2021-3801"
],
"not_impacted": "All versions starting from 1.25.0",
"package_slug": "npm/prismjs",
"pubdate": "2021-09-15",
"solution": "Upgrade to version 1.25.0 or above.",
"title": "Incorrect Comparison",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3801",
"https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
],
"uuid": "fa7d3a0b-1ca0-488d-847b-93beb433a549"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndExcluding": "1.25.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3801"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "prism is vulnerable to Inefficient Regular Expression Complexity"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
},
{
"name": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-07-29T16:52Z",
"publishedDate": "2021-09-15T13:15Z"
}
}
}
ghsa-hqhp-5p83-hx96
Vulnerability from github
Published
2021-09-20 20:44
Modified
2022-08-10 23:38
Severity
Summary
prismjs Regular Expression Denial of Service vulnerability
Details
Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "prismjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3801"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-16T18:29:46Z",
"nvd_published_at": "2021-09-15T13:15:00Z",
"severity": "MODERATE"
},
"details": "Prism is a syntax highlighting library. The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.",
"id": "GHSA-hqhp-5p83-hx96",
"modified": "2022-08-10T23:38:25Z",
"published": "2021-09-20T20:44:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3801"
},
{
"type": "WEB",
"url": "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/prismjs/prism"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "prismjs Regular Expression Denial of Service vulnerability"
}
rhsa-2021_4902
Vulnerability from csaf_redhat
Published
2021-12-01 17:22
Modified
2024-09-18 14:40
Summary
Red Hat Security Advisory: ACS 3.67 security and enhancement update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:
OpenShift Dedicated support
RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.
1. Use OpenShift OAuth server as an identity provider
If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS.
2. Enhancements for CI outputs
Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.
3. Runtime Class policy criteria
Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria.
Security Fix(es):
* civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)
* nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
* nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)
* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
* helm: information disclosure vulnerability (CVE-2021-32690)
* golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fixes
The release of RHACS 3.67 includes the following bug fixes:
1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.
2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.
System changes
The release of RHACS 3.67 includes the following system changes:
1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images.
2. The Port exposure method policy criteria now include route as an exposure method.
3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.
4. The OpenShift Compliance Operator integration now supports using TailoredProfiles.
5. The RHACS Jenkins plugin now provides additional security information.
6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.
7. The default uid:gid pair for the Scanner image is now 65534:65534.
8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.
9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.
10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode.
11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check
12. You can now use a regular expression for the deployment name while specifying policy exclusions
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:\n\nOpenShift Dedicated support\n\nRHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.\n\n1. Use OpenShift OAuth server as an identity provider\nIf you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS. \n\n2. Enhancements for CI outputs\nRed Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.\n\n3. Runtime Class policy criteria\nUsers can now use RHACS to define the container runtime configuration that may be used to run a pod\u2019s containers using the Runtime Class policy criteria.\n\nSecurity Fix(es):\n\n* civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)\n\n* nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)\n\n* nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)\n\n* golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)\n\n* helm: information disclosure vulnerability (CVE-2021-32690)\n\n* golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)\n\n* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fixes\nThe release of RHACS 3.67 includes the following bug fixes:\n\n1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.\n\n2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.\n\nSystem changes\nThe release of RHACS 3.67 includes the following system changes:\n\n1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images.\n2. The Port exposure method policy criteria now include route as an exposure method.\n3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.\n4. The OpenShift Compliance Operator integration now supports using TailoredProfiles.\n5. The RHACS Jenkins plugin now provides additional security information.\n6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.\n7. The default uid:gid pair for the Scanner image is now 65534:65534.\n8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.\n9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.\n10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. \n11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check \u0026 deployment check\n12. You can now use a regular expression for the deployment name while specifying policy exclusions",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4902",
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1956818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818"
},
{
"category": "external",
"summary": "1978144",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"
},
{
"category": "external",
"summary": "1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "1999784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999784"
},
{
"category": "external",
"summary": "2005445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005445"
},
{
"category": "external",
"summary": "2006044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006044"
},
{
"category": "external",
"summary": "2016640",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016640"
},
{
"category": "external",
"summary": "ROX-9371",
"url": "https://issues.redhat.com/browse/ROX-9371"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_4902.json"
}
],
"title": "Red Hat Security Advisory: ACS 3.67 security and enhancement update",
"tracking": {
"current_release_date": "2024-09-18T14:40:01+00:00",
"generator": {
"date": "2024-09-18T14:40:01+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2021:4902",
"initial_release_date": "2021-12-01T17:22:46+00:00",
"revision_history": [
{
"date": "2021-12-01T17:22:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-01T17:22:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-18T14:40:01+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.67 for RHEL 8",
"product": {
"name": "RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.67::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.67.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.67.0-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64 as a component of RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"relates_to_product_reference": "8Base-RHACS-3.67"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64 as a component of RHACS 3.67 for RHEL 8",
"product_id": "8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64",
"relates_to_product_reference": "8Base-RHACS-3.67"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-27304",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-10-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2016640"
}
],
"notes": [
{
"category": "description",
"text": "A remote code execution vulnerability was found in CivetWeb (embeddable web server/library). Due to a directory traversal issue, an attacker is able to add or overwrite files that are subsequently executed which lead to impact to confidentiality, integrity, and availability of the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only impacts CivetWeb-based web applications that use the built-in file upload form handler (full working example in the \u201cembedded_c\u201d example in the CivetWeb sources).\n\nRed Hat Advanced Cluster Security includes code from CivetWeb in the Collector component, however it does not use the file upload form handler, hence is not impacted by this vulnerability. This vulnerability is rated Low for Red Hat Advanced Cluster Security.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-27304"
},
{
"category": "external",
"summary": "RHBZ#2016640",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016640"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-27304",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27304"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27304"
},
{
"category": "external",
"summary": "https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ",
"url": "https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ"
},
{
"category": "external",
"summary": "https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/",
"url": "https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API"
},
{
"cve": "CVE-2021-3749",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-08-31T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1999784"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-axios: Regular expression denial of service in trim function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift Container Platform (OCP) grafana-container does package a vulnerable version of nodejs axios. However, due to the instance being read only and behind OpenShift OAuth, the impact of this vulnerability is Low.\n\n* Red Hat Advanced Cluster Management for Kubernetes (RHACM) 2.1 and previous versions does contain a vulnerable version of nodejs axios, RHACM 2.2 on towards are not affected versions. For RHACM 2.1, due to the instance being read only and behind OAuth, the impact of this vulnerability is Low.\n\n* Because Service Telemetry Framework 1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF\u0027s service-telemetry-operator-container and smart-gateway-operator-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3749"
},
{
"category": "external",
"summary": "RHBZ#1999784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999784"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929",
"url": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"
},
{
"category": "external",
"summary": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31",
"url": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"
}
],
"release_date": "2021-08-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-axios: Regular expression denial of service in trim function"
},
{
"cve": "CVE-2021-3801",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2005445"
}
],
"notes": [
{
"category": "description",
"text": "Insufficient Regular Expression Complexity in prismjs leads to a Regular Expression Denial of Service (ReDoS) attack. An unauthenticated attacker can exploit this flaw to cause an application to consume an excess amount of CPU by providing a crafted HTML comment as input. This can result in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-prismjs: ReDoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.\n\nJust as OCP, OpenShift ServiceMesh (OSSM) components are behind OpenShift OAuth what reducing impact to Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3801"
},
{
"category": "external",
"summary": "RHBZ#2005445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005445"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3801",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3801"
}
],
"release_date": "2021-09-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-prismjs: ReDoS vulnerability"
},
{
"cve": "CVE-2021-23343",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-05-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1956818"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-path-parse. All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Had Quay , whilst a vulnerable version of `path-parse` is included in the quay-rhel8 container it is a development dependency only, hence the impact by this vulnerability is low.\n\nIn OpenShift Container Platform (OCP), the hadoop component which is a part of the OCP metering stack, ships the vulnerable version of \u0027path-parse\u0027.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected component is marked as wontfix.\nThis may be fixed in the future.\n\nIn Red Hat OpenShift Container Storage 4 the noobaa-core container includes the affected version of `path-parse`, however the vulnerable functionality is currently not used in any part of the product.\n\nIn Red Hat Virtualization cockpit-ovirt, ovirt-engine-ui-extensions and ovirt-web-ui use vulnerable version of `path-parse`, however for cockpit-ovirt it is a development time dependency only, and for ovirt-engine-ui-extensions and ovirt-web-ui the vulnerable functions are never used.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23343"
},
{
"category": "external",
"summary": "RHBZ#1956818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956818"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23343"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067",
"url": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067"
}
],
"release_date": "2021-05-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe"
},
{
"cve": "CVE-2021-29923",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-08-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1992006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:\n* OpenShift distributed tracing (formerly OpenShift Jaeger)\n* OpenShift Migration Toolkit for Containers\n* OpenShift Container Platform",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29923"
},
{
"category": "external",
"summary": "RHBZ#1992006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
},
{
"category": "external",
"summary": "https://sick.codes/sick-2021-016/",
"url": "https://sick.codes/sick-2021-016/"
}
],
"release_date": "2021-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64",
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet"
},
{
"cve": "CVE-2021-32690",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1978144"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "helm: information disclosure vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Advanced Cluster Management for Kubernetes:\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are using helm chart provided by the installer, so components are not using untrusted charts except in the application-lifecycle area. For this reason we marked the impact as low. For RHACM, the credentials could be leaked only when a helm chart is stored in a domain other than the helm repository itself. In practice, this rarely happens as the chart is stored in the same helm repository. For example, this chart in the helm repo https://charts.helm.sh/stable/index.yaml references only charts stored in the same domain (charts.heml.sh). From version, 2.2 onwards, multicloud-operators-placementrule and multicloud-operators-deployable do not use helm at all.\n\nOpenShift Developer Tools and Services:\n\nThe OpenShift Helm team has analyzed this CVE and we have come to the conclusion that this only affects OpenShift Helm customers that use the CLI to install and update charts. It does not affect customers that use the OpenShift Console to install and update charts. To mitigate this issue, customers can refresh their Helm cli by following the Red Had official Helm install guide here: https://docs.openshift.com/container-platform/4.7/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html#installing-helm_getting-started-with-helm-on-openshift. The mirror (https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/) have already been updated with helm 3.6.2 which contains the fix for this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-32690"
},
{
"category": "external",
"summary": "RHBZ#1978144",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-32690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690"
},
{
"category": "external",
"summary": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf",
"url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"
}
],
"release_date": "2021-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "helm: information disclosure vulnerability"
},
{
"cve": "CVE-2021-39293",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2006044"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform.\n\n* This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s smart-gateway-container and sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-operator-bundle@sha256:9629a16f4009d48e580bc389d632a43c698ffd53c74364293fcf035a4c944382_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39293"
},
{
"category": "external",
"summary": "RHBZ#2006044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006044"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39293",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39293"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw",
"url": "https://groups.google.com/g/golang-announce/c/dx9d7IOseHw"
}
],
"release_date": "2021-08-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.",
"product_ids": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4902"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.67:advanced-cluster-security/rhacs-rhel8-operator@sha256:bf785fa6b8f22a473d1cc58aa9877f41f1161fef360883fee385c4ae421840e2_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)"
}
]
}
Loading...