csaf_redhat - rhsa-2022

rhsa-2022_7055

Vulnerability from csaf_redhat

Published

2022-10-19 12:55

Modified

2024-11-21 21:15

Summary

Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update

Notes

Topic

An update is now available for Red Hat Openshift distributed tracing 2.6.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

This release of Red Hat OpenShift distributed tracing provides these changes: Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * eventsource: Exposure of Sensitive Information (CVE-2022-1650) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat Openshift distributed tracing 2.6.0\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat OpenShift distributed tracing provides these changes:\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* eventsource: Exposure of Sensitive Information (CVE-2022-1650)\n\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n\n* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)\n\n* Moment.js: Path traversal  in moment.locale (CVE-2022-24785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:7055",
        "url": "https://access.redhat.com/errata/RHSA-2022:7055"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2024702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
      },
      {
        "category": "external",
        "summary": "2053259",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
      },
      {
        "category": "external",
        "summary": "2072009",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
      },
      {
        "category": "external",
        "summary": "2085307",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307"
      },
      {
        "category": "external",
        "summary": "2105075",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7055.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update",
    "tracking": {
      "current_release_date": "2024-11-21T21:15:43+00:00",
      "generator": {
        "date": "2024-11-21T21:15:43+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:7055",
      "initial_release_date": "2022-10-19T12:55:42+00:00",
      "revision_history": [
        {
          "date": "2022-10-19T12:55:42+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-10-19T12:55:42+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T21:15:43+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift distributed tracing 2.6",
                "product": {
                  "name": "Red Hat OpenShift distributed tracing 2.6",
                  "product_id": "8Base-RHOSDT-2.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift distributed tracing"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64 as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64 as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3918",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2021-11-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2024702"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs-json-schema: Prototype pollution vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3918"
        },
        {
          "category": "external",
          "summary": "RHBZ#2024702",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
        }
      ],
      "release_date": "2021-10-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs-json-schema: Prototype pollution vulnerability"
    },
    {
      "cve": "CVE-2022-0536",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "discovery_date": "2022-02-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2053259"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "RHBZ#2053259",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0536",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536"
        }
      ],
      "release_date": "2022-02-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak"
    },
    {
      "cve": "CVE-2022-1650",
      "cwe": {
        "id": "CWE-359",
        "name": "Exposure of Private Personal Information to an Unauthorized Actor"
      },
      "discovery_date": "2022-05-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2085307"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the EventSource NPM Package. The description from the source states the following message: \"Exposure of Sensitive Information to an Unauthorized Actor.\" This flaw allows an attacker to steal the user\u0027s credentials and then use the credentials to access the legitimate website.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "eventsource: Exposure of Sensitive Information",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "RHBZ#2085307",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1650",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e",
          "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
        }
      ],
      "release_date": "2022-05-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "eventsource: Exposure of Sensitive Information"
    },
    {
      "cve": "CVE-2022-24785",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2022-04-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2072009"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Moment.js: Path traversal  in moment.locale",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "RHBZ#2072009",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
        }
      ],
      "release_date": "2022-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        },
        {
          "category": "workaround",
          "details": "Sanitize the user-provided locale name before passing it to Moment.js.",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Moment.js: Path traversal  in moment.locale"
    },
    {
      "cve": "CVE-2022-31129",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-07-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2105075"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "moment: inefficient parsing algorithm resulting in DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "RHBZ#2105075",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
        }
      ],
      "release_date": "2022-07-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "moment: inefficient parsing algorithm resulting in DoS"
    }
  ]
}

cve-2021-3918

Vulnerability from cvelistv5

Published

2021-11-13 00:00

Modified

2024-08-03 17:09

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Prototype Pollution in kriszyp/json-schema

References

▼	URL	Tags
	https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
	https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
	https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html	mailing-list

Impacted products

▼	Vendor	Product
	kriszyp	kriszyp/json-schema

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.702Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
          },
          {
            "name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kriszyp/json-schema",
          "vendor": "kriszyp",
          "versions": [
            {
              "lessThanOrEqual": "0.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-06T00:00:00",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
        },
        {
          "url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
        },
        {
          "name": "[debian-lts-announce] 20221206 [SECURITY] [DLA 3228-1] node-json-schema security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
        }
      ],
      "source": {
        "advisory": "bb6ccd63-f505-4e3a-b55f-cd2662c261a9",
        "discovery": "EXTERNAL"
      },
      "title": "Prototype Pollution in kriszyp/json-schema"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3918",
    "datePublished": "2021-11-13T00:00:00",
    "dateReserved": "2021-11-02T00:00:00",
    "dateUpdated": "2024-08-03T17:09:09.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-24785

Vulnerability from cvelistv5

Published

2022-04-04 00:00

Modified

2024-08-03 04:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Path Traversal in Moment.js

References

▼	URL	Tags
	https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
	https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
	https://www.tenable.com/security/tns-2022-09
	https://security.netapp.com/advisory/ntap-20220513-0006/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html	mailing-list

Impacted products

▼	Vendor	Product
	moment	moment

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.533Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2022-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220513-0006/"
          },
          {
            "name": "FEDORA-2022-85aa8e5706",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
          },
          {
            "name": "FEDORA-2022-35b698150c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
          },
          {
            "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moment",
          "vendor": "moment",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.1, \u003c 2.29.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-27",
              "description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-31T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
        },
        {
          "url": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5"
        },
        {
          "url": "https://www.tenable.com/security/tns-2022-09"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220513-0006/"
        },
        {
          "name": "FEDORA-2022-85aa8e5706",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
        },
        {
          "name": "FEDORA-2022-35b698150c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
        },
        {
          "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
        }
      ],
      "source": {
        "advisory": "GHSA-8hfj-j24r-96c4",
        "discovery": "UNKNOWN"
      },
      "title": "Path Traversal in Moment.js"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24785",
    "datePublished": "2022-04-04T00:00:00",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-1650

Vulnerability from cvelistv5

Published

2022-05-12 00:00

Modified

2024-08-03 00:10

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

Improper Removal of Sensitive Information Before Storage or Transfer in eventsource/eventsource

References

▼	URL	Tags
	https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e
	https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
	https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html	mailing-list

Impacted products

▼	Vendor	Product
	eventsource	eventsource/eventsource

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:10:03.747Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4"
          },
          {
            "name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3235-1] node-eventsource security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "eventsource/eventsource",
          "vendor": "eventsource",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v2.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "v2.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v1.1.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "v1.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.\u003c/p\u003e"
            }
          ],
          "value": "Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212  Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-02T08:39:40.475Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
        },
        {
          "url": "https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4"
        },
        {
          "name": "[debian-lts-announce] 20221211 [SECURITY] [DLA 3235-1] node-eventsource security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html"
        }
      ],
      "source": {
        "advisory": "dc9e467f-be5d-4945-867d-1044d27e9b8e",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Removal of Sensitive Information Before Storage or Transfer in eventsource/eventsource",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-1650",
    "datePublished": "2022-05-12T00:00:00",
    "dateReserved": "2022-05-10T00:00:00",
    "dateUpdated": "2024-08-03T00:10:03.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-31129

Vulnerability from cvelistv5

Published

2022-07-06 00:00

Modified

2024-08-03 07:11

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Inefficient Regular Expression Complexity in moment

References

▼	URL	Tags
	https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
	https://github.com/moment/moment/pull/6015#issuecomment-1152961973
	https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
	https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20221014-0003/
	https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html	mailing-list

Impacted products

▼	Vendor	Product
	moment	moment

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.222Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/"
          },
          {
            "name": "FEDORA-2022-85aa8e5706",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
          },
          {
            "name": "FEDORA-2022-35b698150c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
          },
          {
            "name": "FEDORA-2022-b9ef7c3c3c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/"
          },
          {
            "name": "FEDORA-2022-798fd95813",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221014-0003/"
          },
          {
            "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moment",
          "vendor": "moment",
          "versions": [
            {
              "status": "affected",
              "version": " \u003e= 2.18.0, \u003c 2.29.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-31T00:00:00",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
        },
        {
          "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
        },
        {
          "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"
        },
        {
          "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/"
        },
        {
          "name": "FEDORA-2022-85aa8e5706",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/"
        },
        {
          "name": "FEDORA-2022-35b698150c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"
        },
        {
          "name": "FEDORA-2022-b9ef7c3c3c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/"
        },
        {
          "name": "FEDORA-2022-798fd95813",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221014-0003/"
        },
        {
          "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
        }
      ],
      "source": {
        "advisory": "GHSA-wc69-rhjr-hc9g",
        "discovery": "UNKNOWN"
      },
      "title": "Inefficient Regular Expression Complexity in moment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31129",
    "datePublished": "2022-07-06T00:00:00",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:11:39.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-0536

Vulnerability from cvelistv5

Published

2022-02-09 10:45

Modified

2024-08-02 23:32

Severity ?

2.6 (Low) - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects

References

▼	URL	Tags
	https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db	x_refsource_CONFIRM
	https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445	x_refsource_MISC

Impacted products

▼	Vendor	Product
	follow-redirects	follow-redirects/follow-redirects

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:32:46.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "follow-redirects/follow-redirects",
          "vendor": "follow-redirects",
          "versions": [
            {
              "lessThan": "1.14.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\u003c/p\u003e"
            }
          ],
          "value": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-02T08:48:13.471Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
        }
      ],
      "source": {
        "advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0536",
          "STATE": "PUBLIC",
          "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "follow-redirects/follow-redirects",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.14.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "follow-redirects"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db"
            },
            {
              "name": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445",
              "refsource": "MISC",
              "url": "https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445"
            }
          ]
        },
        "source": {
          "advisory": "7cf2bf90-52da-4d59-8028-a73b132de0db",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0536",
    "datePublished": "2022-02-09T10:45:10",
    "dateReserved": "2022-02-08T00:00:00",
    "dateUpdated": "2024-08-02T23:32:46.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2022_7055

Vulnerability from csaf_redhat

cve-2021-3918

Vulnerability from cvelistv5

cve-2022-24785

Vulnerability from cvelistv5

cve-2022-1650

Vulnerability from cvelistv5

cve-2022-31129

Vulnerability from cvelistv5

cve-2022-0536

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature