Action not permitted
Modal body text goes here.
cve-2022-31051
Vulnerability from cvelistv5
▼ | Vendor | Product |
---|---|---|
semantic-release | semantic-release |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:03:40.299Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "semantic-release", "vendor": "semantic-release", "versions": [ { "status": "affected", "version": "\u003e= 17.0.4, \u003c 19.0.3" } ] } ], "descriptions": [ { "lang": "en", "value": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-09T20:05:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "tags": [ "x_refsource_MISC" ], "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ], "source": { "advisory": "GHSA-x2pg-mjhr-2m5x", "discovery": "UNKNOWN" }, "title": "Exposure of Sensitive Information to an Unauthorized Actor in semantic-release", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31051", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in semantic-release" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "semantic-release", "version": { "version_data": [ { "version_value": "\u003e= 17.0.4, \u003c 19.0.3" } ] } } ] }, "vendor_name": "semantic-release" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x", "refsource": "CONFIRM", "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "name": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad", "refsource": "MISC", "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI", "refsource": "MISC", "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "name": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3", "refsource": "MISC", "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ] }, "source": { "advisory": "GHSA-x2pg-mjhr-2m5x", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31051", "datePublished": "2022-06-09T20:05:12", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.299Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-31051\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-09T20:15:08.400\",\"lastModified\":\"2022-06-17T14:48:40.617\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly.\"},{\"lang\":\"es\",\"value\":\"semantic-release es un paquete npm de c\u00f3digo abierto para la administraci\u00f3n automatizada de versiones y la publicaci\u00f3n de paquetes. En versiones afectadas, los secretos que normalmente estar\u00edan enmascarados por semantic-release pueden ser revelados accidentalmente si contienen caracteres que est\u00e1n excluidos de la codificaci\u00f3n uri por \\\"encodeURI\\\". La ocurrencia es limitada adem\u00e1s a contextos de ejecuci\u00f3n en los que el acceso push al repositorio relacionado no est\u00e1 disponible sin modificar la url del repositorio para inyectar credenciales. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deben asegurarse de que los secretos que no contengan caracteres excluidos de la codificaci\u00f3n con \\\"encodeURI\\\" cuando sean incluidos en una URL ya est\u00e9n enmascarados correctamente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.7,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:semantic-release_project:semantic-release:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.4\",\"versionEndExcluding\":\"19.0.3\",\"matchCriteriaId\":\"568BC3E0-23CD-43A5-BF0D-FD867359D17A\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
rhsa-2022_5555
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.\n\nSecurity Fix(es):\n\n* nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)\n\n* apache-commons-compress: infinite loop when reading a specially crafted 7Z archive (CVE-2021-35515)\n\n* apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive (CVE-2021-35516)\n\n* apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive (CVE-2021-35517)\n\n* apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive (CVE-2021-36090)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)\n\n* spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950)\n\n* semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding (CVE-2022-31051)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nA list of bugs fixed in this update is available in the Technical Notes book:\nhttps://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5555", "url": "https://access.redhat.com/errata/RHSA-2022:5555" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes", "url": "https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1663217", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1663217" }, { "category": "external", "summary": "1782077", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1782077" }, { "category": "external", "summary": "1849045", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849045" }, { "category": "external", "summary": "1852308", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1852308" }, { "category": "external", "summary": "1958032", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1958032" }, { "category": "external", "summary": "1966615", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966615" }, { "category": "external", "summary": "1976607", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976607" }, { "category": "external", "summary": "1981895", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981895" }, { "category": "external", "summary": "1981900", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981900" }, { "category": "external", "summary": "1981903", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981903" }, { "category": "external", "summary": "1981909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981909" }, { "category": "external", "summary": "1994144", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994144" }, { "category": "external", "summary": "2001574", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001574" }, { "category": "external", "summary": "2001923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001923" }, { "category": "external", "summary": "2006625", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006625" }, { "category": "external", "summary": "2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "2030293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030293" }, { "category": "external", "summary": "2068270", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2068270" }, { "category": "external", "summary": "2069414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069414" }, { "category": "external", "summary": "2070045", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2070045" }, { "category": "external", "summary": "2072626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072626" }, { "category": "external", "summary": "2081241", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081241" }, { "category": "external", "summary": "2081559", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081559" }, { "category": "external", "summary": "2089856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089856" }, { "category": "external", "summary": "2092885", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092885" }, { "category": "external", "summary": "2093795", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2093795" }, { "category": "external", "summary": "2097414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097414" }, { "category": "external", "summary": "2099650", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2099650" }, { "category": "external", "summary": "2105296", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105296" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5555.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update", "tracking": { "current_release_date": "2024-11-15T14:54:30+00:00", "generator": { "date": "2024-11-15T14:54:30+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:5555", "initial_release_date": "2022-07-14T12:56:49+00:00", "revision_history": [ { "date": "2022-07-14T12:56:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-07-14T12:56:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:54:30+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "product": { "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "product_id": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.14-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "product": { "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "product_id": "ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.5.3-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-dependencies-0:4.5.2-1.el8ev.src", "product": { "name": "ovirt-dependencies-0:4.5.2-1.el8ev.src", "product_id": "ovirt-dependencies-0:4.5.2-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-dependencies@4.5.2-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "postgresql-jdbc-0:42.2.14-1.el8ev.src", "product": { "name": "postgresql-jdbc-0:42.2.14-1.el8ev.src", "product_id": "postgresql-jdbc-0:42.2.14-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql-jdbc@42.2.14-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.6-1.el8ev.src", "product": { "name": "ovirt-log-collector-0:4.4.6-1.el8ev.src", "product_id": "ovirt-log-collector-0:4.4.6-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.6-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "apache-commons-compress-0:1.21-1.2.el8ev.src", "product": { "name": "apache-commons-compress-0:1.21-1.2.el8ev.src", "product_id": "apache-commons-compress-0:1.21-1.2.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/apache-commons-compress@1.21-1.2.el8ev?arch=src" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.5.0-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.5.0-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "product": { "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "product_id": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.4-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "product": { "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "product_id": "ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.5.1.2-0.11.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.9.0-1.el8ev.src", "product": { "name": "ovirt-web-ui-0:1.9.0-1.el8ev.src", "product_id": "ovirt-web-ui-0:1.9.0-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.0-1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "product": { "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "product_id": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.14-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh@4.5.3-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-grafana-integration-setup@4.5.3-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "product": { "name": "ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "product_id": "ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dwh-setup@4.5.3-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "product": { "name": "ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "product_id": "ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-dependencies@4.5.2-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "product": { "name": "postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "product_id": "postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql-jdbc@42.2.14-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "product": { "name": "postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "product_id": "postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql-jdbc-javadoc@42.2.14-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "product": { "name": "ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "product_id": "ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-log-collector@4.4.6-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "apache-commons-compress-0:1.21-1.2.el8ev.noarch", "product": { "name": "apache-commons-compress-0:1.21-1.2.el8ev.noarch", "product_id": "apache-commons-compress-0:1.21-1.2.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/apache-commons-compress@1.21-1.2.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "product": { "name": "apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "product_id": "apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/apache-commons-compress-javadoc@1.21-1.2.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.5.0-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "product": { "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "product_id": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.4-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.5.1.2-0.11.el8ev.noarch", "product": { "name": "rhvm-0:4.5.1.2-0.11.el8ev.noarch", "product_id": "rhvm-0:4.5.1.2-0.11.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.5.1.2-0.11.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "product": { "name": "ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "product_id": "ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.0-1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "apache-commons-compress-0:1.21-1.2.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch" }, "product_reference": "apache-commons-compress-0:1.21-1.2.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "apache-commons-compress-0:1.21-1.2.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src" }, "product_reference": "apache-commons-compress-0:1.21-1.2.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" }, "product_reference": "apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-dependencies-0:4.5.2-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch" }, "product_reference": "ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-dependencies-0:4.5.2-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" }, "product_reference": "ovirt-dependencies-0:4.5.2-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.5.1.2-0.11.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src" }, "product_reference": "ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-0:4.5.3-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src" }, "product_reference": "ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch" }, "product_reference": "ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch" }, "product_reference": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src" }, "product_reference": "ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.6-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch" }, "product_reference": "ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-log-collector-0:4.4.6-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src" }, "product_reference": "ovirt-log-collector-0:4.4.6-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.9.0-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch" }, "product_reference": "ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-web-ui-0:1.9.0-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" }, "product_reference": "ovirt-web-ui-0:1.9.0-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-0:42.2.14-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch" }, "product_reference": "postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-0:42.2.14-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src" }, "product_reference": "postgresql-jdbc-0:42.2.14-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch" }, "product_reference": "postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src" }, "product_reference": "rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.5.1.2-0.11.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch" }, "product_reference": "rhvm-0:4.5.1.2-0.11.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.5.0-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.5.0-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3807", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2007557" } ], "notes": [ { "category": "description", "text": "A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw requires crafted invalid ANSI escape codes in order to be exploited and only allows for denial of service of applications on the client side, hence the impact has been rated as Moderate.\n\nIn Red Hat Virtualization and Red Hat Quay some components use a vulnerable version of ansi-regex. However, all frontend code is executed on the client side. As the maximum impact of this vulnerability is denial of service in the client, the vulnerability is rated Moderate for those products.\n\nOpenShift Container Platform 4 (OCP) ships affected version of ansi-regex in the ose-metering-hadoop container, however the metering operator is deprecated since 4.6[1]. This issue is not currently planned to be addressed in future updates and hence hadoop container has been marked as \u0027will not fix\u0027.\n\nAdvanced Cluster Management for Kubernetes (RHACM) ships the affected version of ansi-regex in several containers, however the impact of this vulnerability is deemed low as it would result in an authenticated slowing down their own user interface. \n\n[1] https://docs.openshift.com/container-platform/4.6/metering/metering-about-metering.html", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3807" }, { "category": "external", "summary": "RHBZ#2007557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3807", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "category": "external", "summary": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" } ], "release_date": "2021-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes" }, { "cve": "CVE-2021-22096", "discovery_date": "2021-12-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034584" } ], "notes": [ { "category": "description", "text": "In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.", "title": "Vulnerability description" }, { "category": "summary", "text": "springframework: malicious input leads to insertion of additional log entries", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-22096" }, { "category": "external", "summary": "RHBZ#2034584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034584" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22096", "url": "https://www.cve.org/CVERecord?id=CVE-2021-22096" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22096", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22096" } ], "release_date": "2021-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "springframework: malicious input leads to insertion of additional log entries" }, { "cve": "CVE-2021-33623", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-05-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1966615" } ], "notes": [ { "category": "description", "text": "A flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-trim-newlines: ReDoS in .end() method", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform (OCP) grafana-container does package a vulnerable verison of nodejs trim-newlines. However due to the instance being read only and behind OpenShift OAuth, the impact by this vulnerability is Low. Red Hat Advanced Cluster Management for Kubernetes (ACM) containers affected by this flaw are only accessible to authenticated users, thus the impact of this vulnerability is Low. \nRed Hat Virtualization (RHV) does package a vulnerable version of nodejs-trim-newlines. However, no untrusted content is being parsed therefore the impact of this vulnerability is Low.\n\nThe hosted services are shipped with the vulnerable packages, however the vulnerable methods were not identified in use at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-33623" }, { "category": "external", "summary": "RHBZ#1966615", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966615" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-33623", "url": "https://www.cve.org/CVERecord?id=CVE-2021-33623" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33623" } ], "release_date": "2021-05-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-trim-newlines: ReDoS in .end() method" }, { "cve": "CVE-2021-35515", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1981895" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This flaw allows the mounting of a denial of service attack against services that use Compress\u0027 SevenZ package. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-compress: infinite loop when reading a specially crafted 7Z archive", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35515" }, { "category": "external", "summary": "RHBZ#1981895", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981895" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35515", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35515" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/07/13/1", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/1" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-compress/security-reports.html", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E", "url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-compress: infinite loop when reading a specially crafted 7Z archive" }, { "cve": "CVE-2021-35516", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1981900" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for very small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress\u0027 SevenZ package. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35516" }, { "category": "external", "summary": "RHBZ#1981900", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981900" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35516", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35516" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35516", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35516" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/07/13/2", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/2" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-compress/security-reports.html", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E", "url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive" }, { "cve": "CVE-2021-35517", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1981903" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-commons-compress. When reading a specially crafted TAR archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress\u0027 TAR package. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35517" }, { "category": "external", "summary": "RHBZ#1981903", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981903" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35517", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35517" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35517", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35517" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/07/13/3", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/3" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-compress/security-reports.html", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E", "url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive" }, { "cve": "CVE-2021-36090", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2021-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1981909" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-commons-compress. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress\u0027 zip package. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-36090" }, { "category": "external", "summary": "RHBZ#1981909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981909" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-36090", "url": "https://www.cve.org/CVERecord?id=CVE-2021-36090" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2021/07/13/4", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/4" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-compress/security-reports.html", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E", "url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E" } ], "release_date": "2021-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive" }, { "cve": "CVE-2022-22950", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2022-03-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2069414" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "spring-expression: Denial of service via specially crafted SpEL expression", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-22950" }, { "category": "external", "summary": "RHBZ#2069414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069414" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-22950", "url": "https://www.cve.org/CVERecord?id=CVE-2022-22950" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-22950", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22950" } ], "release_date": "2022-03-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "spring-expression: Denial of service via specially crafted SpEL expression" }, { "cve": "CVE-2022-31051", "cwe": { "id": "CWE-212", "name": "Improper Removal of Sensitive Information Before Storage or Transfer" }, "discovery_date": "2022-06-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2097414" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in semantic-release. Secrets that are normally masked are accidentally disclosed if they contain characters excluded from uri encoding by `encodeURI()`. The vulnerability is further limited to execution contexts where push access to the related repository is unavailable without modifying the repository URL to inject credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "known_not_affected": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31051" }, { "category": "external", "summary": "RHBZ#2097414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097414" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31051", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31051" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31051", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31051" }, { "category": "external", "summary": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x", "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" } ], "release_date": "2022-06-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-07-14T12:56:49+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5555" }, { "category": "workaround", "details": "Users should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL that is already masked properly.", "product_ids": [ "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:apache-commons-compress-0:1.21-1.2.el8ev.src", "8Base-RHV-S-4.4:apache-commons-compress-javadoc-0:1.21-1.2.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-dependencies-0:4.5.2-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.5.1.2-0.11.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-0:4.5.3-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-dwh-grafana-integration-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dwh-setup-0:4.5.3-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.4-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-log-collector-0:4.4.6-1.el8ev.src", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:postgresql-jdbc-0:42.2.14-1.el8ev.src", "8Base-RHV-S-4.4:postgresql-jdbc-javadoc-0:42.2.14-1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.noarch", "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.14-1.el8ev.src", "8Base-RHV-S-4.4:rhvm-0:4.5.1.2-0.11.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.5.0-1.el8ev.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.0-1.el8ev.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding" } ] }
gsd-2022-31051
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2022-31051", "description": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly.", "id": "GSD-2022-31051", "references": [ "https://access.redhat.com/errata/RHSA-2022:5555" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-31051" ], "details": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly.", "id": "GSD-2022-31051", "modified": "2023-12-13T01:19:17.505663Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31051", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in semantic-release" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "semantic-release", "version": { "version_data": [ { "version_value": "\u003e= 17.0.4, \u003c 19.0.3" } ] } } ] }, "vendor_name": "semantic-release" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x", "refsource": "CONFIRM", "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "name": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad", "refsource": "MISC", "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI", "refsource": "MISC", "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "name": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3", "refsource": "MISC", "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ] }, "source": { "advisory": "GHSA-x2pg-mjhr-2m5x", "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003e=17.0.4 \u003c19.0.3", "affected_versions": "All versions starting from 17.0.4 before 19.0.3", "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cwe_ids": [ "CWE-1035", "CWE-200", "CWE-937" ], "date": "2022-06-17", "description": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly.", "fixed_versions": [ "19.0.3" ], "identifier": "CVE-2022-31051", "identifiers": [ "CVE-2022-31051", "GHSA-x2pg-mjhr-2m5x" ], "not_impacted": "All versions before 17.0.4, all versions starting from 19.0.3", "package_slug": "npm/semantic-release", "pubdate": "2022-06-09", "solution": "Upgrade to version 19.0.3 or above.", "title": "Exposure of Sensitive Information to an Unauthorized Actor", "urls": [ "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x", "https://github.com/semantic-release/semantic-release/pull/2449", "https://github.com/semantic-release/semantic-release/pull/2459", "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad", "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3", "https://github.com/advisories/GHSA-x2pg-mjhr-2m5x" ], "uuid": "471d42ff-d369-4ccf-8ed5-b9999cdb5179" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:semantic-release_project:semantic-release:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "19.0.3", "versionStartIncluding": "17.0.4", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31051" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by `encodeURI`. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-200" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "name": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "name": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3", "refsource": "MISC", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } }, "lastModifiedDate": "2022-06-17T14:48Z", "publishedDate": "2022-06-09T20:15Z" } } }
ghsa-x2pg-mjhr-2m5x
Vulnerability from github
Impact
What kind of vulnerability is it? Who is impacted?
Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.
Patches
Has the problem been patched? What versions should users upgrade to?
Fixed in 19.0.3
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Secrets that do not contain characters that are excluded from encoding with encodeURI
when included in a URL are already masked properly.
References
Are there any links users can visit to find out more? * https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3 * https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
For more information
If you have any questions or comments about this advisory: * Open a discussion in semantic-release discussions
{ "affected": [ { "package": { "ecosystem": "npm", "name": "semantic-release" }, "ranges": [ { "events": [ { "introduced": "17.0.4" }, { "fixed": "19.0.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-31051" ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2022-06-09T23:51:25Z", "nvd_published_at": "2022-06-09T20:15:00Z", "severity": "MODERATE" }, "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nSecrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by [encodeURI](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI). Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in 19.0.3\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nSecrets that do not contain characters that are excluded from encoding with `encodeURI` when included in a URL are already masked properly.\n\n### References\n_Are there any links users can visit to find out more?_\n* https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3\n* https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in [semantic-release discussions](https://github.com/semantic-release/semantic-release/discussions)\n", "id": "GHSA-x2pg-mjhr-2m5x", "modified": "2022-06-20T22:00:29Z", "published": "2022-06-09T23:51:25Z", "references": [ { "type": "WEB", "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-x2pg-mjhr-2m5x" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31051" }, { "type": "WEB", "url": "https://github.com/semantic-release/semantic-release/pull/2449" }, { "type": "WEB", "url": "https://github.com/semantic-release/semantic-release/pull/2459" }, { "type": "WEB", "url": "https://github.com/semantic-release/semantic-release/commit/58a226f29c04ee56bbb02cc661f020d568849cad" }, { "type": "WEB", "url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI" }, { "type": "PACKAGE", "url": "https://github.com/semantic-release/semantic-release" }, { "type": "WEB", "url": "https://github.com/semantic-release/semantic-release/releases/tag/v19.0.3" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in semantic-release" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.