rhsa-2022_1739
Vulnerability from csaf_redhat
Published
2022-05-05 18:02
Modified
2024-11-13 23:43
Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update
Notes
Topic
An update for is now available for OpenShift Service Mesh 2.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the containers for the release.
Security Fix(es):
* minimist: prototype pollution (CVE-2021-44906)
* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
* node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)
* node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)
* node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for is now available for OpenShift Service Mesh 2.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nThis advisory covers the containers for the release.\n\nSecurity Fix(es):\n\n* minimist: prototype pollution (CVE-2021-44906)\n* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)\n* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)\n* node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)\n* node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)\n* node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1739", "url": "https://access.redhat.com/errata/RHSA-2022:1739" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2044591", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591" }, { "category": "external", "summary": "2053259", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2067387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067387" }, { "category": "external", "summary": "2067458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067458" }, { "category": "external", "summary": "2067461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067461" }, { "category": "external", "summary": "OSSM-1435", "url": "https://issues.redhat.com/browse/OSSM-1435" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1739.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update", "tracking": { "current_release_date": "2024-11-13T23:43:34+00:00", "generator": { "date": "2024-11-13T23:43:34+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.0" } }, "id": "RHSA-2022:1739", "initial_release_date": "2022-05-05T18:02:37+00:00", "revision_history": [ { "date": "2022-05-05T18:02:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-05-05T18:02:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-13T23:43:34+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Service Mesh 2.1", "product": { "name": "OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_mesh:2.1::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Service Mesh" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "product": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "product": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le", "product": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le", "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64 as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x" }, "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64 as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64" }, "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" }, "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64 as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "relates_to_product_reference": "8Base-OSSM-2.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le as a component of OpenShift Service Mesh 2.1", "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le", "relates_to_product_reference": "8Base-OSSM-2.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "cve": "CVE-2022-0235", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2022-01-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2044591" } ], "notes": [ { "category": "description", "text": "A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as \"Authorization,\" \"WWW-Authenticate,\" and \"Cookie\" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.", "title": "Vulnerability description" }, { "category": "summary", "text": "node-fetch: exposure of sensitive information to an unauthorized actor", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw is out of support scope for dotnet-5.0. For more information about Dotnet product support scope, please see https://access.redhat.com/support/policy/updates/net-core", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0235" }, { "category": "external", "summary": "RHBZ#2044591", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0235", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0235" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235" }, { "category": "external", "summary": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/", "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/" } ], "release_date": "2022-01-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "node-fetch: exposure of sensitive information to an unauthorized actor" }, { "cve": "CVE-2022-0536", "cwe": { "id": "CWE-212", "name": "Improper Removal of Sensitive Information Before Storage or Transfer" }, "discovery_date": "2022-02-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2053259" } ], "notes": [ { "category": "description", "text": "A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-0536" }, { "category": "external", "summary": "RHBZ#2053259", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0536", "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536" } ], "release_date": "2022-02-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak" }, { "cve": "CVE-2022-24771", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "discovery_date": "2022-03-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2067387" } ], "notes": [ { "category": "description", "text": "A flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature.", "title": "Vulnerability description" }, { "category": "summary", "text": "node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw affects the DigestAlgorithm structure.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24771" }, { "category": "external", "summary": "RHBZ#2067387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067387" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24771", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24771" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24771", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24771" }, { "category": "external", "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765" } ], "release_date": "2022-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery" }, { "cve": "CVE-2022-24772", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "discovery_date": "2022-03-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2067458" } ], "notes": [ { "category": "description", "text": "A flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature.", "title": "Vulnerability description" }, { "category": "summary", "text": "node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw affects the DigestInfo ASN.1 structure.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24772" }, { "category": "external", "summary": "RHBZ#2067458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067458" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24772", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24772" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772" }, { "category": "external", "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g" } ], "release_date": "2022-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery" }, { "cve": "CVE-2022-24773", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "discovery_date": "2022-03-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2067461" } ], "notes": [ { "category": "description", "text": "A flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS#1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource.", "title": "Vulnerability description" }, { "category": "summary", "text": "node-forge: Signature verification leniency in checking `DigestInfo` structure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "known_not_affected": [ "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64", "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24773" }, { "category": "external", "summary": "RHBZ#2067461", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067461" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24773", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24773" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24773", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24773" }, { "category": "external", "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr" } ], "release_date": "2022-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-05-05T18:02:37+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html", "product_ids": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1739" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x", "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "node-forge: Signature verification leniency in checking `DigestInfo` structure" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.