csaf_redhat - rhsa-2022

rhsa-2022_0687

Vulnerability from csaf_redhat

Published

2022-02-28 21:18

Modified

2024-09-16 21:39

Summary

Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.1 security and bug fix update

Notes

Topic

OpenShift API for Data Protection (OADP) 1.0.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Security Fix(es): * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "OpenShift API for Data Protection (OADP) 1.0.1 is now available.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.\n\nSecurity Fix(es):\n\n* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)\n\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:0687",
        "url": "https://access.redhat.com/errata/RHSA-2022:0687"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1954368",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954368"
      },
      {
        "category": "external",
        "summary": "2024938",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
      },
      {
        "category": "external",
        "summary": "OADP-198",
        "url": "https://issues.redhat.com/browse/OADP-198"
      },
      {
        "category": "external",
        "summary": "OADP-223",
        "url": "https://issues.redhat.com/browse/OADP-223"
      },
      {
        "category": "external",
        "summary": "OADP-272",
        "url": "https://issues.redhat.com/browse/OADP-272"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_0687.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.1 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-09-16T21:39:46+00:00",
      "generator": {
        "date": "2024-09-16T21:39:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2022:0687",
      "initial_release_date": "2022-02-28T21:18:28+00:00",
      "revision_history": [
        {
          "date": "2022-02-28T21:18:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-02-28T21:18:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-16T21:39:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "8Base-OADP-1.0",
                "product": {
                  "name": "8Base-OADP-1.0",
                  "product_id": "8Base-OADP-1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_api_data_protection:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift API for Data Protection"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
                "product": {
                  "name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
                  "product_id": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-kubevirt-velero-plugin-rhel8\u0026tag=1.0.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
                "product": {
                  "name": "oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
                  "product_id": "oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-mustgather-rhel8\u0026tag=1.0.1-7"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
                "product": {
                  "name": "oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
                  "product_id": "oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-operator-bundle\u0026tag=1.0.1-10"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
                "product": {
                  "name": "oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
                  "product_id": "oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-rhel8-operator\u0026tag=1.0.1-6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
                "product": {
                  "name": "oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
                  "product_id": "oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-registry-rhel8\u0026tag=1.0.1-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64",
                "product": {
                  "name": "oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64",
                  "product_id": "oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-rhel8\u0026tag=1.0.1-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64",
                "product": {
                  "name": "oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64",
                  "product_id": "oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-rhel8\u0026tag=1.0.1-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
                "product": {
                  "name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
                  "product_id": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-aws-rhel8\u0026tag=1.0.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
                "product": {
                  "name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
                  "product_id": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-csi-rhel8\u0026tag=1.0.1-6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
                "product": {
                  "name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
                  "product_id": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-gcp-rhel8\u0026tag=1.0.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
                "product": {
                  "name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
                  "product_id": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-plugin-for-microsoft-azure-rhel8\u0026tag=1.0.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
                "product": {
                  "name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
                  "product_id": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e?arch=amd64\u0026repository_url=registry.redhat.io/oadp/oadp-velero-restic-restore-helper-rhel8\u0026tag=1.0.1-4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64"
        },
        "product_reference": "oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64"
        },
        "product_reference": "oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64"
        },
        "product_reference": "oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64"
        },
        "product_reference": "oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64"
        },
        "product_reference": "oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64"
        },
        "product_reference": "oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64"
        },
        "product_reference": "oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64"
        },
        "product_reference": "oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64"
        },
        "product_reference": "oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
        },
        "product_reference": "oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64"
        },
        "product_reference": "oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64 as a component of 8Base-OADP-1.0",
          "product_id": "8Base-OADP-1.0:oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64"
        },
        "product_reference": "oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64",
        "relates_to_product_reference": "8Base-OADP-1.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-29482",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-04-28T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OADP-1.0:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
            "8Base-OADP-1.0:oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
            "8Base-OADP-1.0:oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
            "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
            "8Base-OADP-1.0:oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1954368"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ulikunitz/xz: Infinite loop in readUvarint allows for denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth authentication, therefore the impact is low.\nIn OCP before 4.7 the buildah, skopeo and podman packages include vulnerable version of github.com/ulikunitz/xz, but these OCP releases are already in the Maintenance Phase of the support, hence affected components are marked as wontfix. This may be fixed in the future.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
        ],
        "known_not_affected": [
          "8Base-OADP-1.0:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
          "8Base-OADP-1.0:oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
          "8Base-OADP-1.0:oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
          "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
          "8Base-OADP-1.0:oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-29482"
        },
        {
          "category": "external",
          "summary": "RHBZ#1954368",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954368"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-29482",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-29482"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482"
        }
      ],
      "release_date": "2020-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0687"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ulikunitz/xz: Infinite loop in readUvarint allows for denial of service"
    },
    {
      "cve": "CVE-2021-41190",
      "cwe": {
        "id": "CWE-843",
        "name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
      },
      "discovery_date": "2021-11-18T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OADP-1.0:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
            "8Base-OADP-1.0:oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
            "8Base-OADP-1.0:oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
            "8Base-OADP-1.0:oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2024938"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "opencontainers: OCI manifest and index parsing confusion",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "As a consequence of the OCI Image Specification (and OCI Distribution Specification [1]), container runtime engines (like containerd, moby - Docker Engine, cri-o) deliver updates to adopt new `mediaType` field used for identification of the document type. Even though some Red Hat products rely on container engine, the impact by this issue is LOW.\n\n[1] https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
        ],
        "known_not_affected": [
          "8Base-OADP-1.0:oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:994dbf4e76ba187e1066f2b68ca4a5dba3f4f32c481bdb324874df6d8e9f9c8c_amd64",
          "8Base-OADP-1.0:oadp/oadp-mustgather-rhel8@sha256:dfc68db1acca3b88e5ddf1f5f89be3a6a333d6e7b89d754fa131e35b22666349_amd64",
          "8Base-OADP-1.0:oadp/oadp-operator-bundle@sha256:92f0845b726be3bdd0436961dc2d13da5b7b45d0a6f5d2371511b6e676bfd484_amd64",
          "8Base-OADP-1.0:oadp/oadp-rhel8-operator@sha256:c3345ec8a8702bb959fbdf44f1889ded94b9bcc8f357b4d4c7837ff3217b1221_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-aws-rhel8@sha256:1e492468f7bdcd5929a52161e4acdd9b70b89b57e85a8fad3328e354df9bc8a4_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-csi-rhel8@sha256:e6f49b43014d3723fe364333eaf3b9aca65d739bcc346fba79573c78a11a513b_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:57ef82ab24f41c21719fcfa81cf49906f40219b96f2eb55db4a67995e620ad72_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:5f844dff42442699c1138d24739debefc4d99e9a7614adb65403787cf78e6880_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-restic-restore-helper-rhel8@sha256:f7b4f9749e9db856beeee9dc6225e28add8b2a3dc4a719fd4c23fc03b832d28e_amd64",
          "8Base-OADP-1.0:oadp/oadp-velero-rhel8@sha256:fd6c2d463817001039aae27f6de069e0a729833167979944876e88dabbc59772_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-41190"
        },
        {
          "category": "external",
          "summary": "RHBZ#2024938",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024938"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-41190",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190"
        },
        {
          "category": "external",
          "summary": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42",
          "url": "https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
          "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh",
          "url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
        }
      ],
      "release_date": "2021-11-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0687"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OADP-1.0:oadp/oadp-registry-rhel8@sha256:fe55f8e6d08bed2bd5925d504fbbd3ab7aa60287ed2baff44c583b814505baf8_amd64",
            "8Base-OADP-1.0:oadp/oadp-velero-plugin-rhel8@sha256:1cd2134419e7c7c1421ec68bbbe9a8b06da63b8221672a888d83056f02af16ed_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "opencontainers: OCI manifest and index parsing confusion"
    }
  ]
}

cve-2021-29482

Vulnerability from cvelistv5

Published

2021-04-28 18:15

Modified

2024-08-03 22:11

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

denial of service in github.com/ulikunitz/xz

References

URL	Tags
https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27	x_refsource_CONFIRM
https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b	x_refsource_MISC

Impacted products

Vendor	Product
ulikunitz	xz

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:11:05.477Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xz",
          "vendor": "ulikunitz",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "{\"CWE-835\":\"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-28T18:15:15",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
        }
      ],
      "source": {
        "advisory": "GHSA-25xm-hr59-7c27",
        "discovery": "UNKNOWN"
      },
      "title": "denial of service in github.com/ulikunitz/xz",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29482",
          "STATE": "PUBLIC",
          "TITLE": "denial of service in github.com/ulikunitz/xz"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xz",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.5.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ulikunitz"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-835\":\"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27",
              "refsource": "CONFIRM",
              "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27"
            },
            {
              "name": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b",
              "refsource": "MISC",
              "url": "https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-25xm-hr59-7c27",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29482",
    "datePublished": "2021-04-28T18:15:15",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:11:05.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-41190

Vulnerability from cvelistv5

Published

2021-11-17 19:20

Modified

2024-08-04 03:08

Severity

3.0 (Low) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Summary

Clarify Content-Type handling in OCI spec

References

URL	Tags
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m	x_refsource_CONFIRM
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/11/19/10	mailing-list, x_refsource_MLIST
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/	vendor-advisory, x_refsource_FEDORA

Impacted products

Vendor	Product
opencontainers	distribution-spec

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.262Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
          },
          {
            "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
          },
          {
            "name": "FEDORA-2021-d250fc2622",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
          },
          {
            "name": "FEDORA-2021-6dc68dbe4d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
          },
          {
            "name": "FEDORA-2021-79ba5abef6",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
          },
          {
            "name": "FEDORA-2021-eb2742b148",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
          },
          {
            "name": "FEDORA-2021-3dda301691",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
          },
          {
            "name": "FEDORA-2021-aacef7fa15",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
          },
          {
            "name": "FEDORA-2021-62352983b4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
          },
          {
            "name": "FEDORA-2021-6789ed60f2",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "distribution-spec",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-10T02:06:12",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
        },
        {
          "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
        },
        {
          "name": "FEDORA-2021-d250fc2622",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
        },
        {
          "name": "FEDORA-2021-6dc68dbe4d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
        },
        {
          "name": "FEDORA-2021-79ba5abef6",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
        },
        {
          "name": "FEDORA-2021-eb2742b148",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
        },
        {
          "name": "FEDORA-2021-3dda301691",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
        },
        {
          "name": "FEDORA-2021-aacef7fa15",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
        },
        {
          "name": "FEDORA-2021-62352983b4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
        },
        {
          "name": "FEDORA-2021-6789ed60f2",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
        }
      ],
      "source": {
        "advisory": "GHSA-mc8v-mgrf-8f4m",
        "discovery": "UNKNOWN"
      },
      "title": "Clarify Content-Type handling in OCI spec",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41190",
          "STATE": "PUBLIC",
          "TITLE": "Clarify Content-Type handling in OCI spec"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "distribution-spec",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "opencontainers"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
              "refsource": "CONFIRM",
              "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
            },
            {
              "name": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
              "refsource": "MISC",
              "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
            },
            {
              "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
            },
            {
              "name": "FEDORA-2021-d250fc2622",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
            },
            {
              "name": "FEDORA-2021-6dc68dbe4d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
            },
            {
              "name": "FEDORA-2021-79ba5abef6",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
            },
            {
              "name": "FEDORA-2021-eb2742b148",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
            },
            {
              "name": "FEDORA-2021-3dda301691",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
            },
            {
              "name": "FEDORA-2021-aacef7fa15",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
            },
            {
              "name": "FEDORA-2021-62352983b4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
            },
            {
              "name": "FEDORA-2021-6789ed60f2",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mc8v-mgrf-8f4m",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41190",
    "datePublished": "2021-11-17T19:20:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2022_0687

Vulnerability from csaf_redhat

cve-2021-29482

Vulnerability from cvelistv5

cve-2021-41190

Vulnerability from cvelistv5

Tags