rhsa-2022_5673
Vulnerability from csaf_redhat
Published
2022-07-20 15:48
Modified
2024-11-13 23:45
Summary
Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview

Notes

Topic
Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.
Details
Release osp-director-operator images Security Fix(es): * go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321) * go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322) * go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323) * go-getter: command injection vulnerability [Important] (CVE-2022-26945) * golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565) * containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Release osp-director-operator images\n\nSecurity Fix(es):\n\n* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)\n* go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)\n* go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)\n* go-getter: command injection vulnerability [Important] (CVE-2022-26945)\n* golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565)\n* containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:5673",
        "url": "https://access.redhat.com/errata/RHSA-2022:5673"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/errata/RHSA-2022:4991",
        "url": "https://access.redhat.com/errata/RHSA-2022:4991"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/containers",
        "url": "https://access.redhat.com/containers"
      },
      {
        "category": "external",
        "summary": "2011007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
      },
      {
        "category": "external",
        "summary": "2030787",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
      },
      {
        "category": "external",
        "summary": "2092918",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
      },
      {
        "category": "external",
        "summary": "2092923",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
      },
      {
        "category": "external",
        "summary": "2092925",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
      },
      {
        "category": "external",
        "summary": "2092928",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5673.json"
      }
    ],
    "title": "Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview",
    "tracking": {
      "current_release_date": "2024-11-13T23:45:07+00:00",
      "generator": {
        "date": "2024-11-13T23:45:07+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHSA-2022:5673",
      "initial_release_date": "2022-07-20T15:48:31+00:00",
      "revision_history": [
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-13T23:45:07+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Platform 16.2",
                "product": {
                  "name": "Red Hat OpenStack Platform 16.2",
                  "product_id": "8Base-RHOS-16.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:16.2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-downloader\u0026tag=1.2.3-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator-bundle\u0026tag=1.2.3-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator\u0026tag=1.2.3-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-41103",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-10-04T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2011007"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the containerd package. Containerd could allow a local authenticated attacker to traverse directories on the system, due to improper restricted permissions on the container root and plugin directories. This issue could allow an attacker to send a specially-crafted request containing \"dot dot\" sequences (/../) to view directory contents and execute programs.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "containerd: insufficiently restricted permissions on container root and plugin directories",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "RHBZ#2011007",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-41103",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103"
        }
      ],
      "release_date": "2021-10-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "containerd: insufficiently restricted permissions on container root and plugin directories"
    },
    {
      "cve": "CVE-2021-43565",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2021-12-07T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2030787"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "There\u0027s an input validation flaw in golang.org/x/crypto\u0027s readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto: empty plaintext packet causes panic",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "go-toolset shipped with Red Hat Developer Tools - Compilers and golang shipped with Red Hat Enterprise Linux 8 are not affected by this flaw because they do not ship the vulnerable code.\n\nThis flaw was rated to have a Moderate impact because it is not shipped in the Golang standard library and thus has a reduced impact to products compared with other flaws of this type.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "RHBZ#2030787",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43565",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565"
        }
      ],
      "release_date": "2021-12-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/crypto: empty plaintext packet causes panic"
    },
    {
      "cve": "CVE-2022-26945",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092928"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: command injection vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092928",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-26945",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: command injection vulnerability"
    },
    {
      "cve": "CVE-2022-30321",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092918"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 1 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092918",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30321",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 1 of 3)"
    },
    {
      "cve": "CVE-2022-30322",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092923"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 2 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092923",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30322",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 2 of 3)"
    },
    {
      "cve": "CVE-2022-30323",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092925"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 3 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092925",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30323",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-07-20T15:48:31+00:00",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 3 of 3)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.