rhsa-2022_7055
Vulnerability from csaf_redhat
Published
2022-10-19 12:55
Modified
2024-11-08 20:46
Summary
Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update

Notes

Topic
An update is now available for Red Hat Openshift distributed tracing 2.6.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat OpenShift distributed tracing provides these changes: Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * eventsource: Exposure of Sensitive Information (CVE-2022-1650) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat Openshift distributed tracing 2.6.0\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat OpenShift distributed tracing provides these changes:\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* eventsource: Exposure of Sensitive Information (CVE-2022-1650)\n\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n\n* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)\n\n* Moment.js: Path traversal  in moment.locale (CVE-2022-24785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:7055",
        "url": "https://access.redhat.com/errata/RHSA-2022:7055"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2024702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
      },
      {
        "category": "external",
        "summary": "2053259",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
      },
      {
        "category": "external",
        "summary": "2072009",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
      },
      {
        "category": "external",
        "summary": "2085307",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307"
      },
      {
        "category": "external",
        "summary": "2105075",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7055.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update",
    "tracking": {
      "current_release_date": "2024-11-08T20:46:54+00:00",
      "generator": {
        "date": "2024-11-08T20:46:54+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2022:7055",
      "initial_release_date": "2022-10-19T12:55:42+00:00",
      "revision_history": [
        {
          "date": "2022-10-19T12:55:42+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-10-19T12:55:42+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-08T20:46:54+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift distributed tracing 2.6",
                "product": {
                  "name": "Red Hat OpenShift distributed tracing 2.6",
                  "product_id": "8Base-RHOSDT-2.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift distributed tracing"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314?arch=s390x\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865?arch=amd64\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                "product": {
                  "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                  "product_id": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-collector-rhel8\u0026tag=0.60.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                "product": {
                  "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                  "product_id": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhosdt/opentelemetry-rhel8-operator\u0026tag=0.60.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64 as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64"
        },
        "product_reference": "rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64 as a component of Red Hat OpenShift distributed tracing 2.6",
          "product_id": "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        },
        "product_reference": "rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64",
        "relates_to_product_reference": "8Base-RHOSDT-2.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3918",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2021-11-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2024702"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs-json-schema: Prototype pollution vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "npm versions 8.0.0 and older provide a vulnerable version of the json-schema library. However, it is currently believed that in the context of npm, it is not possible to take advantage of the vulnerability.\n\nRed Hat Enterprise Linux version 8 and Software Collections provide a vulnerable version of the json-schema library only as embedded in the npm package. As a result, the severity of the incident has been lowered for these 2 products.\n\nRed Hat Quay includes json-schema as a development dependency of quay-registry-container. As a result, the impact rating has been lowered to Moderate.\n\nIn Red Hat OpenShift Container Platform (RHOCP), Red Hat Openshift Data Foundations (ODF), Red Hat distributed tracing, Migration Toolkit for Virtualization (MTV) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are behind OpenShift OAuth. This restricts access to the vulnerable json-schema library to authenticated users only, therefore the impact is reduced to Moderate.\n\nIn Red Hat Openshift Data Foundations (ODF) the odf4/mcg-core-rhel8 component has \"Will not fix status\", but starting from ODF 4.11 stream this component contains already patched version of the json-schema library. Earlier version of ODF are already under Maintenance Support phase, hence this vulnerability will not be fixed.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3918"
        },
        {
          "category": "external",
          "summary": "RHBZ#2024702",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024702"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3918",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
        }
      ],
      "release_date": "2021-10-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs-json-schema: Prototype pollution vulnerability"
    },
    {
      "cve": "CVE-2022-0536",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "discovery_date": "2022-02-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2053259"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the follow-redirects package. This flaw allows the exposure of sensitive information to an unauthorized actor due to the usage of insecure HTTP protocol. This issue happens with an Authorization header leak from the same hostname, https-http, and requires a Man-in-the-Middle (MITM) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "RHBZ#2053259",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053259"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0536",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0536"
        }
      ],
      "release_date": "2022-02-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "follow-redirects: Exposure of Sensitive Information via Authorization Header leak"
    },
    {
      "cve": "CVE-2022-1650",
      "cwe": {
        "id": "CWE-359",
        "name": "Exposure of Private Personal Information to an Unauthorized Actor"
      },
      "discovery_date": "2022-05-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2085307"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the EventSource NPM Package. The description from the source states the following message: \"Exposure of Sensitive Information to an Unauthorized Actor.\" This flaw allows an attacker to steal the user\u0027s credentials and then use the credentials to access the legitimate website.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "eventsource: Exposure of Sensitive Information",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "RHBZ#2085307",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085307"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1650",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e",
          "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
        }
      ],
      "release_date": "2022-05-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "eventsource: Exposure of Sensitive Information"
    },
    {
      "cve": "CVE-2022-24785",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2022-04-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2072009"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Moment.js: Path traversal  in moment.locale",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "RHBZ#2072009",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
        }
      ],
      "release_date": "2022-04-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        },
        {
          "category": "workaround",
          "details": "Sanitize the user-provided locale name before passing it to Moment.js.",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Moment.js: Path traversal  in moment.locale"
    },
    {
      "cve": "CVE-2022-31129",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-07-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2105075"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "moment: inefficient parsing algorithm resulting in DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
          "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "RHBZ#2105075",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
        },
        {
          "category": "external",
          "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
          "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
        }
      ],
      "release_date": "2022-07-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-19T12:55:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:7055"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:19b497addaa9210f2b2048421a5a8ef1a8748bbb0884af10e23c59473dda544b_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:2089cab411ac3fc66784bacdf080ed6ff51d0a4450cc7f246915e96ed6cf8665_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-collector-rhel8@sha256:9bc1969a7862230282b9f8b902906e51cb0fdb3e3c368579a580eaccaacc7b03_amd64",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:3ed70e814b9458affbf3ad5057a741b9f453095220c6548e2bd2960a6cdf6314_s390x",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:6c35a77e6118ba050a01e0dd5f0f6cca20211ac513cb4d92ae4058f78459610d_ppc64le",
            "8Base-RHOSDT-2.6:rhosdt/opentelemetry-rhel8-operator@sha256:74d8fed59e7ed6389bfbf08bd6279b035f18fddd82056f597e6d34ccbb99c865_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "moment: inefficient parsing algorithm resulting in DoS"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.