csaf_redhat - rhsa-2022

rhsa-2022_1739

Vulnerability from csaf_redhat

Published

2022-05-05 18:02

Modified

2024-11-10 19:53

Summary

Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update

Notes

Topic

An update for is now available for OpenShift Service Mesh 2.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the containers for the release. Security Fix(es): * minimist: prototype pollution (CVE-2021-44906) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771) * node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772) * node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for is now available for OpenShift Service Mesh 2.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nThis advisory covers the containers for the release.\n\nSecurity Fix(es):\n\n* minimist: prototype pollution (CVE-2021-44906)\n* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)\n* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)\n* node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)\n* node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)\n* node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:1739",
        "url": "https://access.redhat.com/errata/RHSA-2022:1739"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2044591",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591"
      },
      {
        "category": "external",
        "summary": "2053259",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
      },
      {
        "category": "external",
        "summary": "2066009",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
      },
      {
        "category": "external",
        "summary": "2067387",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067387"
      },
      {
        "category": "external",
        "summary": "2067458",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067458"
      },
      {
        "category": "external",
        "summary": "2067461",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067461"
      },
      {
        "category": "external",
        "summary": "OSSM-1435",
        "url": "https://issues.redhat.com/browse/OSSM-1435"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1739.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update",
    "tracking": {
      "current_release_date": "2024-11-10T19:53:53+00:00",
      "generator": {
        "date": "2024-11-10T19:53:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2022:1739",
      "initial_release_date": "2022-05-05T18:02:37+00:00",
      "revision_history": [
        {
          "date": "2022-05-05T18:02:37+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-05-05T18:02:37+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-10T19:53:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Service Mesh 2.1",
                "product": {
                  "name": "OpenShift Service Mesh 2.1",
                  "product_id": "8Base-OSSM-2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_mesh:2.1::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Service Mesh"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
                  "product_id": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
                  "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
                "product": {
                  "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
                  "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
                  "product_id": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
                  "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
                "product": {
                  "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
                  "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le",
                  "product_id": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.36.9-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le",
                "product": {
                  "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le",
                  "product_id": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8-operator\u0026tag=1.36.9-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
                "product": {
                  "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
                  "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.1.2-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le"
        },
        "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64 as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64"
        },
        "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x"
        },
        "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64 as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64 as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le as a component of OpenShift Service Mesh 2.1",
          "product_id": "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        },
        "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le",
        "relates_to_product_reference": "8Base-OSSM-2.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-44906",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2022-03-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2066009"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "minimist: prototype pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-44906"
        },
        {
          "category": "external",
          "summary": "RHBZ#2066009",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
          "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
        }
      ],
      "release_date": "2022-03-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "minimist: prototype pollution"
    },
    {
      "cve": "CVE-2022-0235",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2022-01-16T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2044591"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as \"Authorization,\" \"WWW-Authenticate,\" and \"Cookie\" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-fetch: exposure of sensitive information to an unauthorized actor",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw is out of support scope for dotnet-5.0. For more information about Dotnet product support scope, please see https://access.redhat.com/support/policy/updates/net-core",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "RHBZ#2044591",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0235",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/",
          "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/"
        }
      ],
      "release_date": "2022-01-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "node-fetch: exposure of sensitive information to an unauthorized actor"
    },
    {
      "cve": "CVE-2022-0536",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "discovery_date": "2022-02-10T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2053259"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "RHBZ#2053259",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0536",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536"
        }
      ],
      "release_date": "2022-02-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak"
    },
    {
      "cve": "CVE-2022-24771",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2022-03-23T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2067387"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw affects the DigestAlgorithm structure.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24771"
        },
        {
          "category": "external",
          "summary": "RHBZ#2067387",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067387"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24771",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24771"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24771",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24771"
        },
        {
          "category": "external",
          "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765",
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"
        }
      ],
      "release_date": "2022-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery"
    },
    {
      "cve": "CVE-2022-24772",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2022-03-23T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2067458"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the node-forge package. This signature verification leniency allows an attacker to forge a signature.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw affects the DigestInfo ASN.1 structure.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24772"
        },
        {
          "category": "external",
          "summary": "RHBZ#2067458",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067458"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24772",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24772"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772"
        },
        {
          "category": "external",
          "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g",
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"
        }
      ],
      "release_date": "2022-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery"
    },
    {
      "cve": "CVE-2022-24773",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2022-03-23T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2067461"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS#1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-forge: Signature verification leniency in checking `DigestInfo` structure",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
        ],
        "known_not_affected": [
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:1b9dbbab044ab8e968d2759a11d703bd25cd9ea398f781810d8ee42f17bea6ae_ppc64le",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:5474cbf94f487f1562ad768a229a73c103c853dc5dfa2efb3a3eb77729256bf9_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/istio-must-gather-rhel8@sha256:cfa0361b9fe8e40a81fe5f1e278ad7a3598567e0ae80a84345ef0a520c1be8f4_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:278b369e56a3d9d15e06140446dcc25cd58279c001f81305c2cd4431a5d17901_s390x",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:bec742ce66c9d1c1bd484c404d3e80e11d72e118f990df3d24bbb0d66e04d498_amd64",
          "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8-operator@sha256:c39704bb84a8a070752c0eb4c507c4a73f2fb90eaf563ca8e48a27fadafc8775_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24773"
        },
        {
          "category": "external",
          "summary": "RHBZ#2067461",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067461"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24773",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24773"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24773",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24773"
        },
        {
          "category": "external",
          "summary": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr",
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr"
        }
      ],
      "release_date": "2022-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-05-05T18:02:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe OpenShift Service Mesh Release Notes provide information on the features and known issues:\n\nhttps://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html",
          "product_ids": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:1739"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:00bf086034f38940086c4f92343b5e239d590cb35b2019d71e4cdb4f0f28b61e_amd64",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:b4adcc404793aa643428a07885581241286ed0593ca88c2ae0593efc20a9244e_s390x",
            "8Base-OSSM-2.1:openshift-service-mesh/kiali-rhel8@sha256:ec7762e97ecec4a90cd93393bcca856a22643c5df52e3605adb7463b27866849_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "node-forge: Signature verification leniency in checking `DigestInfo` structure"
    }
  ]
}

cve-2022-24772

Vulnerability from cvelistv5

Published

2022-03-18 13:30

Modified

2024-08-03 04:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Improper Verification of Cryptographic Signature in `node-forge`

References

▼	URL	Tags
	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1	x_refsource_MISC
	https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2	x_refsource_MISC
	https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	digitalbazaar	forge

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.492Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "forge",
          "vendor": "digitalbazaar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-18T13:30:20",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"
        }
      ],
      "source": {
        "advisory": "GHSA-x4jg-mjrx-434g",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Verification of Cryptographic Signature in `node-forge`",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24772",
          "STATE": "PUBLIC",
          "TITLE": "Improper Verification of Cryptographic Signature in `node-forge`"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "forge",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "digitalbazaar"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-347: Improper Verification of Cryptographic Signature"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1",
              "refsource": "MISC",
              "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
            },
            {
              "name": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2",
              "refsource": "MISC",
              "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
            },
            {
              "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g",
              "refsource": "CONFIRM",
              "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-x4jg-mjrx-434g",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24772",
    "datePublished": "2022-03-18T13:30:20",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-0536

Vulnerability from cvelistv5

Published

2022-02-09 10:45

Modified

2024-08-02 23:32

Severity ?

2.6 (Low) - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects

References

▼	URL	Tags
	https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db	x_refsource_CONFIRM
	https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445	x_refsource_MISC

Impacted products

▼	Vendor	Product
	follow-redirects	follow-redirects/follow-redirects

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:32:46.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "follow-redirects/follow-redirects",
          "vendor": "follow-redirects",
          "versions": [
            {
              "lessThan": "1.14.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\u003c/p\u003e"
            }
          ],
          "value": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-02T08:48:13.471Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
        }
      ],
      "source": {
        "advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0536",
          "STATE": "PUBLIC",
          "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "follow-redirects/follow-redirects",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.14.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "follow-redirects"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
            },
            {
              "name": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445",
              "refsource": "MISC",
              "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
            }
          ]
        },
        "source": {
          "advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0536",
    "datePublished": "2022-02-09T10:45:10",
    "dateReserved": "2022-02-08T00:00:00",
    "dateUpdated": "2024-08-02T23:32:46.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-24773

Vulnerability from cvelistv5

Published

2022-03-18 13:30

Modified

2024-08-03 04:20

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

Improper Verification of Cryptographic Signature in `node-forge`

References

▼	URL	Tags
	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1	x_refsource_MISC
	https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr	x_refsource_CONFIRM
	https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2	x_refsource_MISC

Impacted products

▼	Vendor	Product
	digitalbazaar	forge

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "forge",
          "vendor": "digitalbazaar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-18T13:30:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
        }
      ],
      "source": {
        "advisory": "GHSA-2r2c-g63r-vccr",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Verification of Cryptographic Signature in `node-forge`",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24773",
          "STATE": "PUBLIC",
          "TITLE": "Improper Verification of Cryptographic Signature in `node-forge`"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "forge",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "digitalbazaar"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-347: Improper Verification of Cryptographic Signature"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1",
              "refsource": "MISC",
              "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
            },
            {
              "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr",
              "refsource": "CONFIRM",
              "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr"
            },
            {
              "name": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2",
              "refsource": "MISC",
              "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2r2c-g63r-vccr",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24773",
    "datePublished": "2022-03-18T13:30:14",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-44906

Vulnerability from cvelistv5

Published

2022-03-17 13:05

Modified

2024-08-04 04:32

Severity ?

Summary

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

References

▼	URL	Tags
	https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
	https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip
	https://github.com/substack/minimist/blob/master/index.js#L69
	https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068
	https://github.com/substack/minimist/issues/164
	https://security.netapp.com/advisory/ntap-20240621-0006/

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:32:13.585Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/substack/minimist/blob/master/index.js#L69"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/substack/minimist/issues/164"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-21T19:07:14.002611",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764"
        },
        {
          "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip"
        },
        {
          "url": "https://github.com/substack/minimist/blob/master/index.js#L69"
        },
        {
          "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068"
        },
        {
          "url": "https://github.com/substack/minimist/issues/164"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-44906",
    "datePublished": "2022-03-17T13:05:57",
    "dateReserved": "2021-12-13T00:00:00",
    "dateUpdated": "2024-08-04T04:32:13.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-0235

Vulnerability from cvelistv5

Published

2022-01-16 00:00

Modified

2024-08-02 23:18

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch

References

▼	URL	Tags
	https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7
	https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10
	https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
	https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html	mailing-list

Impacted products

▼	Vendor	Product
	node-fetch	node-fetch/node-fetch

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:42.930Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
          },
          {
            "name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3222-1] node-fetch security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-fetch/node-fetch",
          "vendor": "node-fetch",
          "versions": [
            {
              "lessThan": "3.1.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-05T00:00:00",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7"
        },
        {
          "url": "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
        },
        {
          "name": "[debian-lts-announce] 20221205 [SECURITY] [DLA 3222-1] node-fetch security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html"
        }
      ],
      "source": {
        "advisory": "d26ab655-38d6-48b3-be15-f9ad6b6ae6f7",
        "discovery": "EXTERNAL"
      },
      "title": "Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0235",
    "datePublished": "2022-01-16T00:00:00",
    "dateReserved": "2022-01-14T00:00:00",
    "dateUpdated": "2024-08-02T23:18:42.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-24771

Vulnerability from cvelistv5

Published

2022-03-18 13:25

Modified

2024-08-03 04:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Improper Verification of Cryptographic Signature in node-forge

References

▼	URL	Tags
	https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765	x_refsource_CONFIRM
	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1	x_refsource_MISC

Impacted products

▼	Vendor	Product
	digitalbazaar	forge

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.502Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "forge",
          "vendor": "digitalbazaar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-18T13:25:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
        }
      ],
      "source": {
        "advisory": "GHSA-cfm4-qjh2-4765",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Verification of Cryptographic Signature in node-forge",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24771",
          "STATE": "PUBLIC",
          "TITLE": "Improper Verification of Cryptographic Signature in node-forge"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "forge",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "digitalbazaar"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-347: Improper Verification of Cryptographic Signature"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765",
              "refsource": "CONFIRM",
              "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"
            },
            {
              "name": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1",
              "refsource": "MISC",
              "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-cfm4-qjh2-4765",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24771",
    "datePublished": "2022-03-18T13:25:11",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2022_1739

Vulnerability from csaf_redhat

cve-2022-24772

Vulnerability from cvelistv5

cve-2022-0536

Vulnerability from cvelistv5

cve-2022-24773

Vulnerability from cvelistv5

cve-2021-44906

Vulnerability from cvelistv5

cve-2022-0235

Vulnerability from cvelistv5

cve-2022-24771

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature