Vulnerability-Lookup

RHSA-2022_5673

Vulnerability from csaf_redhat - Published: 2022-07-20 15:48 - Updated: 2024-12-17 21:58

Summary

Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview

Severity

Important

Notes

Topic: Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

Details: Release osp-director-operator images Security Fix(es): * go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321) * go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322) * go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323) * go-getter: command injection vulnerability [Important] (CVE-2022-26945) * golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565) * containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2021-41103

A flaw was found in the containerd package. Containerd could allow a local authenticated attacker to traverse directories on the system, due to improper restricted permissions on the container root and plugin directories. This issue could allow an attacker to send a specially-crafted request containing "dot dot" sequences (/../) to view directory contents and execute programs.

5.9 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

CVE-2021-43565

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

CVE-2022-26945

A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

Workaround The fix includes new configuration options to help limit the security exposure and have more secure defaults.

CVE-2022-30321

A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-229 - Improper Handling of Values

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

Workaround The fix includes new configuration options to help limit the security exposure and have more secure defaults.

CVE-2022-30322

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-229 - Improper Handling of Values

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

Workaround The fix includes new configuration options to help limit the security exposure and have more secure defaults.

CVE-2022-30323

A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-229 - Improper Handling of Values

Vendor Fix OSP 16.2 Release - OSP Director Operator Containers tech preview https://access.redhat.com/errata/RHSA-2022:5673

Workaround The fix includes new configuration options to help limit the security exposure and have more secure defaults.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2022:5673	self
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/errata/RHSA-2022:4991	external
	https://access.redhat.com/containers	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2011007	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2030787	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2092918	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2092923	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2092925	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2092928	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2021-41103	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2011007	external
	https://www.cve.org/CVERecord?id=CVE-2021-41103	external
	https://nvd.nist.gov/vuln/detail/CVE-2021-41103	external
	https://access.redhat.com/security/cve/CVE-2021-43565	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2030787	external
	https://www.cve.org/CVERecord?id=CVE-2021-43565	external
	https://nvd.nist.gov/vuln/detail/CVE-2021-43565	external
	https://access.redhat.com/security/cve/CVE-2022-26945	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2092928	external
	https://www.cve.org/CVERecord?id=CVE-2022-26945	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-26945	external
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	external
	https://access.redhat.com/security/cve/CVE-2022-30321	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2092918	external
	https://www.cve.org/CVERecord?id=CVE-2022-30321	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-30321	external
	https://access.redhat.com/security/cve/CVE-2022-30322	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2092923	external
	https://www.cve.org/CVERecord?id=CVE-2022-30322	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-30322	external
	https://access.redhat.com/security/cve/CVE-2022-30323	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2092925	external
	https://www.cve.org/CVERecord?id=CVE-2022-30323	external
	https://nvd.nist.gov/vuln/detail/CVE-2022-30323	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Release osp-director-operator images\n\nSecurity Fix(es):\n\n* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)\n* go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)\n* go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)\n* go-getter: command injection vulnerability [Important] (CVE-2022-26945)\n* golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565)\n* containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:5673",
        "url": "https://access.redhat.com/errata/RHSA-2022:5673"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/errata/RHSA-2022:4991",
        "url": "https://access.redhat.com/errata/RHSA-2022:4991"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/containers",
        "url": "https://access.redhat.com/containers"
      },
      {
        "category": "external",
        "summary": "2011007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
      },
      {
        "category": "external",
        "summary": "2030787",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
      },
      {
        "category": "external",
        "summary": "2092918",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
      },
      {
        "category": "external",
        "summary": "2092923",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
      },
      {
        "category": "external",
        "summary": "2092925",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
      },
      {
        "category": "external",
        "summary": "2092928",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5673.json"
      }
    ],
    "title": "Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview",
    "tracking": {
      "current_release_date": "2024-12-17T21:58:38+00:00",
      "generator": {
        "date": "2024-12-17T21:58:38+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.3"
        }
      },
      "id": "RHSA-2022:5673",
      "initial_release_date": "2022-07-20T15:48:31+00:00",
      "revision_history": [
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-17T21:58:38+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Platform 16.2",
                "product": {
                  "name": "Red Hat OpenStack Platform 16.2",
                  "product_id": "8Base-RHOS-16.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:16.2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-downloader\u0026tag=1.2.3-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator-bundle\u0026tag=1.2.3-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator\u0026tag=1.2.3-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-41103",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-10-04T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2011007"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the containerd package. Containerd could allow a local authenticated attacker to traverse directories on the system, due to improper restricted permissions on the container root and plugin directories. This issue could allow an attacker to send a specially-crafted request containing \"dot dot\" sequences (/../) to view directory contents and execute programs.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "containerd: insufficiently restricted permissions on container root and plugin directories",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "RHBZ#2011007",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-41103",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103"
        }
      ],
      "release_date": "2021-10-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "containerd: insufficiently restricted permissions on container root and plugin directories"
    },
    {
      "cve": "CVE-2021-43565",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2021-12-07T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2030787"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "There\u0027s an input validation flaw in golang.org/x/crypto\u0027s readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto: empty plaintext packet causes panic",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "go-toolset shipped with Red Hat Developer Tools - Compilers and golang shipped with Red Hat Enterprise Linux 8 are not affected by this flaw because they do not ship the vulnerable code.\n\nThis flaw was rated to have a Moderate impact because it is not shipped in the Golang standard library and thus has a reduced impact to products compared with other flaws of this type.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "RHBZ#2030787",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43565",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565"
        }
      ],
      "release_date": "2021-12-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/crypto: empty plaintext packet causes panic"
    },
    {
      "cve": "CVE-2022-26945",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092928"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: command injection vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092928",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-26945",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: command injection vulnerability"
    },
    {
      "cve": "CVE-2022-30321",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092918"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 1 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092918",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30321",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 1 of 3)"
    },
    {
      "cve": "CVE-2022-30322",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092923"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 2 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092923",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30322",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 2 of 3)"
    },
    {
      "cve": "CVE-2022-30323",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092925"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 3 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092925",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30323",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 3 of 3)"
    }
  ]
}

CVE-2021-41103 (GCVE-0-2021-41103)

Vulnerability from cvelistv5 – Published: 2021-10-04 00:00 – Updated: 2024-08-04 02:59

Title

Insufficiently restricted permissions on plugin directories

Summary

containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/containerd/containerd/security…
	https://github.com/containerd/containerd/commit/5…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.debian.org/security/2021/dsa-5002	vendor-advisory
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://security.gentoo.org/glsa/202401-31	vendor-advisory

Impacted products

	Vendor	Product	Version
	containerd	containerd	Affected: < 1.4.11 Affected: >= 1.5.0, < 1.5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.538Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8"
          },
          {
            "name": "FEDORA-2021-df975338d4",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/"
          },
          {
            "name": "FEDORA-2021-b5a9a481a2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/"
          },
          {
            "name": "DSA-5002",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5002"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
          },
          {
            "name": "GLSA-202401-31",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-31"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0, \u003c 1.5.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T13:06:20.094Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq"
        },
        {
          "url": "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8"
        },
        {
          "name": "FEDORA-2021-df975338d4",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/"
        },
        {
          "name": "FEDORA-2021-b5a9a481a2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/"
        },
        {
          "name": "DSA-5002",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5002"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
        },
        {
          "name": "GLSA-202401-31",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-31"
        }
      ],
      "source": {
        "advisory": "GHSA-c2h3-6mxw-7mvq",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficiently restricted permissions on plugin directories"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41103",
    "datePublished": "2021-10-04T00:00:00.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-04T02:59:31.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-43565 (GCVE-0-2021-43565)

Vulnerability from cvelistv5 – Published: 2022-09-06 17:03 – Updated: 2024-08-04 04:03

Summary

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://groups.google.com/forum/#%21forum/golang-…	x_refsource_MISC
	https://groups.google.com/g/golang-announce/c/2AR…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:07.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/golang-announce"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-06T17:03:42.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/golang-announce"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-43565",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/golang-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/golang-announce"
            },
            {
              "name": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-43565",
    "datePublished": "2022-09-06T17:03:42.000Z",
    "dateReserved": "2021-11-09T00:00:00.000Z",
    "dateUpdated": "2024-08-04T04:03:07.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-26945 (GCVE-0-2022-26945)

Vulnerability from cvelistv5 – Published: 2022-05-25 11:19 – Updated: 2024-08-03 05:18

Summary

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://discuss.hashicorp.com	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:18:38.351Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T21:31:38.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-26945",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-26945",
    "datePublished": "2022-05-25T11:19:48.000Z",
    "dateReserved": "2022-03-12T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:18:38.351Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-30321 (GCVE-0-2022-30321)

Vulnerability from cvelistv5 – Published: 2022-05-25 11:19 – Updated: 2024-08-03 06:48

Summary

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://discuss.hashicorp.com	x_refsource_MISC
	https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T21:35:58.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30321",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30321",
    "datePublished": "2022-05-25T11:19:42.000Z",
    "dateReserved": "2022-05-07T00:00:00.000Z",
    "dateUpdated": "2024-08-03T06:48:35.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-30323 (GCVE-0-2022-30323)

Vulnerability from cvelistv5 – Published: 2022-05-25 11:19 – Updated: 2024-08-03 06:48

Summary

go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://discuss.hashicorp.com	x_refsource_MISC
	https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T23:10:10.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30323",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30323",
    "datePublished": "2022-05-25T11:19:30.000Z",
    "dateReserved": "2022-05-07T00:00:00.000Z",
    "dateUpdated": "2024-08-03T06:48:35.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-30322 (GCVE-0-2022-30322)

Vulnerability from cvelistv5 – Published: 2022-05-25 11:19 – Updated: 2024-08-03 06:48

Summary

go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://discuss.hashicorp.com	x_refsource_MISC
	https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC
	https://discuss.hashicorp.com/t/hcsec-2022-13-mul…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.602Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T23:05:55.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30322",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30322",
    "datePublished": "2022-05-25T11:19:35.000Z",
    "dateReserved": "2022-05-07T00:00:00.000Z",
    "dateUpdated": "2024-08-03T06:48:35.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2022_5673

CVE-2021-41103 (GCVE-0-2021-41103)

CVE-2021-43565 (GCVE-0-2021-43565)

CVE-2022-26945 (GCVE-0-2022-26945)

CVE-2022-30321 (GCVE-0-2022-30321)

CVE-2022-30323 (GCVE-0-2022-30323)

CVE-2022-30322 (GCVE-0-2022-30322)

Tags

Sightings

Nomenclature