Vulnerability-Lookup

RHSA-2023:6143

Vulnerability from csaf_redhat - Published: 2023-10-26 16:29 - Updated: 2026-04-12 07:38

Summary

Red Hat Security Advisory: OpenShift Container Platform 4.14.0 CNF vRAN extras security update

Severity

Important

Notes

Topic: An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14. Security Fix(es): * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325) * baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2023-30841

A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store `.htpasswd` files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster or access to the management cluster's etcd storage.

6.0 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:6143

CVE-2023-39325

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Workaround The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2023:6143	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2190116	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2243296	external
	https://issues.redhat.com/browse/CNF-7424	external
	https://issues.redhat.com/browse/CNF-7818	external
	https://issues.redhat.com/browse/CNF-7823	external
	https://issues.redhat.com/browse/CNF-8039	external
	https://issues.redhat.com/browse/CNF-8305	external
	https://issues.redhat.com/browse/CNF-8413	external
	https://issues.redhat.com/browse/CNF-8518	external
	https://issues.redhat.com/browse/CNF-8526	external
	https://issues.redhat.com/browse/CNF-8527	external
	https://issues.redhat.com/browse/CNF-8528	external
	https://issues.redhat.com/browse/CNF-8619	external
	https://issues.redhat.com/browse/CNF-8672	external
	https://issues.redhat.com/browse/CNF-8675	external
	https://issues.redhat.com/browse/CNF-8851	external
	https://issues.redhat.com/browse/CNF-8908	external
	https://issues.redhat.com/browse/CNF-9146	external
	https://issues.redhat.com/browse/CNF-9438	external
	https://issues.redhat.com/browse/OCPBUGS-11292	external
	https://issues.redhat.com/browse/OCPBUGS-11380	external
	https://issues.redhat.com/browse/OCPBUGS-11603	external
	https://issues.redhat.com/browse/OCPBUGS-11769	external
	https://issues.redhat.com/browse/OCPBUGS-12152	external
	https://issues.redhat.com/browse/OCPBUGS-12966	external
	https://issues.redhat.com/browse/OCPBUGS-13050	external
	https://issues.redhat.com/browse/OCPBUGS-13070	external
	https://issues.redhat.com/browse/OCPBUGS-13634	external
	https://issues.redhat.com/browse/OCPBUGS-13805	external
	https://issues.redhat.com/browse/OCPBUGS-13981	external
	https://issues.redhat.com/browse/OCPBUGS-14921	external
	https://issues.redhat.com/browse/OCPBUGS-15102	external
	https://issues.redhat.com/browse/OCPBUGS-15369	external
	https://issues.redhat.com/browse/OCPBUGS-15470	external
	https://issues.redhat.com/browse/OCPBUGS-15790	external
	https://issues.redhat.com/browse/OCPBUGS-16032	external
	https://issues.redhat.com/browse/OCPBUGS-16094	external
	https://issues.redhat.com/browse/OCPBUGS-16358	external
	https://issues.redhat.com/browse/OCPBUGS-16412	external
	https://issues.redhat.com/browse/OCPBUGS-16742	external
	https://issues.redhat.com/browse/OCPBUGS-17037	external
	https://issues.redhat.com/browse/OCPBUGS-17382	external
	https://issues.redhat.com/browse/OCPBUGS-17699	external
	https://issues.redhat.com/browse/OCPBUGS-18867	external
	https://issues.redhat.com/browse/OCPBUGS-19066	external
	https://issues.redhat.com/browse/OCPBUGS-19349	external
	https://issues.redhat.com/browse/OCPBUGS-19637	external
	https://issues.redhat.com/browse/OCPBUGS-19954	external
	https://issues.redhat.com/browse/OCPBUGS-19999	external
	https://issues.redhat.com/browse/OCPBUGS-20148	external
	https://issues.redhat.com/browse/OCPBUGS-20423	external
	https://issues.redhat.com/browse/OCPBUGS-22223	external
	https://issues.redhat.com/browse/OCPBUGS-9413	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2023-30841	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2190116	external
	https://www.cve.org/CVERecord?id=CVE-2023-30841	external
	https://nvd.nist.gov/vuln/detail/CVE-2023-30841	external
	https://github.com/metal3-io/baremetal-operator/p…	external
	https://github.com/metal3-io/baremetal-operator/s…	external
	https://access.redhat.com/security/cve/CVE-2023-39325	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2243296	external
	https://access.redhat.com/security/vulnerabilitie…	external
	https://www.cve.org/CVERecord?id=CVE-2023-39325	external
	https://nvd.nist.gov/vuln/detail/CVE-2023-39325	external
	https://access.redhat.com/security/cve/CVE-2023-44487	external
	https://go.dev/issue/63417	external
	https://pkg.go.dev/vuln/GO-2023-2102	external
	https://www.cisa.gov/news-events/alerts/2023/10/1…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14.\n\nSecurity Fix(es):\n\n* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)\n\n* baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform users are advised to upgrade to these updated packages and images.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6143",
        "url": "https://access.redhat.com/errata/RHSA-2023:6143"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2190116",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2190116"
      },
      {
        "category": "external",
        "summary": "2243296",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
      },
      {
        "category": "external",
        "summary": "CNF-7424",
        "url": "https://issues.redhat.com/browse/CNF-7424"
      },
      {
        "category": "external",
        "summary": "CNF-7818",
        "url": "https://issues.redhat.com/browse/CNF-7818"
      },
      {
        "category": "external",
        "summary": "CNF-7823",
        "url": "https://issues.redhat.com/browse/CNF-7823"
      },
      {
        "category": "external",
        "summary": "CNF-8039",
        "url": "https://issues.redhat.com/browse/CNF-8039"
      },
      {
        "category": "external",
        "summary": "CNF-8305",
        "url": "https://issues.redhat.com/browse/CNF-8305"
      },
      {
        "category": "external",
        "summary": "CNF-8413",
        "url": "https://issues.redhat.com/browse/CNF-8413"
      },
      {
        "category": "external",
        "summary": "CNF-8518",
        "url": "https://issues.redhat.com/browse/CNF-8518"
      },
      {
        "category": "external",
        "summary": "CNF-8526",
        "url": "https://issues.redhat.com/browse/CNF-8526"
      },
      {
        "category": "external",
        "summary": "CNF-8527",
        "url": "https://issues.redhat.com/browse/CNF-8527"
      },
      {
        "category": "external",
        "summary": "CNF-8528",
        "url": "https://issues.redhat.com/browse/CNF-8528"
      },
      {
        "category": "external",
        "summary": "CNF-8619",
        "url": "https://issues.redhat.com/browse/CNF-8619"
      },
      {
        "category": "external",
        "summary": "CNF-8672",
        "url": "https://issues.redhat.com/browse/CNF-8672"
      },
      {
        "category": "external",
        "summary": "CNF-8675",
        "url": "https://issues.redhat.com/browse/CNF-8675"
      },
      {
        "category": "external",
        "summary": "CNF-8851",
        "url": "https://issues.redhat.com/browse/CNF-8851"
      },
      {
        "category": "external",
        "summary": "CNF-8908",
        "url": "https://issues.redhat.com/browse/CNF-8908"
      },
      {
        "category": "external",
        "summary": "CNF-9146",
        "url": "https://issues.redhat.com/browse/CNF-9146"
      },
      {
        "category": "external",
        "summary": "CNF-9438",
        "url": "https://issues.redhat.com/browse/CNF-9438"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-11292",
        "url": "https://issues.redhat.com/browse/OCPBUGS-11292"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-11380",
        "url": "https://issues.redhat.com/browse/OCPBUGS-11380"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-11603",
        "url": "https://issues.redhat.com/browse/OCPBUGS-11603"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-11769",
        "url": "https://issues.redhat.com/browse/OCPBUGS-11769"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-12152",
        "url": "https://issues.redhat.com/browse/OCPBUGS-12152"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-12966",
        "url": "https://issues.redhat.com/browse/OCPBUGS-12966"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-13050",
        "url": "https://issues.redhat.com/browse/OCPBUGS-13050"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-13070",
        "url": "https://issues.redhat.com/browse/OCPBUGS-13070"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-13634",
        "url": "https://issues.redhat.com/browse/OCPBUGS-13634"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-13805",
        "url": "https://issues.redhat.com/browse/OCPBUGS-13805"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-13981",
        "url": "https://issues.redhat.com/browse/OCPBUGS-13981"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-14921",
        "url": "https://issues.redhat.com/browse/OCPBUGS-14921"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-15102",
        "url": "https://issues.redhat.com/browse/OCPBUGS-15102"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-15369",
        "url": "https://issues.redhat.com/browse/OCPBUGS-15369"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-15470",
        "url": "https://issues.redhat.com/browse/OCPBUGS-15470"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-15790",
        "url": "https://issues.redhat.com/browse/OCPBUGS-15790"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-16032",
        "url": "https://issues.redhat.com/browse/OCPBUGS-16032"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-16094",
        "url": "https://issues.redhat.com/browse/OCPBUGS-16094"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-16358",
        "url": "https://issues.redhat.com/browse/OCPBUGS-16358"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-16412",
        "url": "https://issues.redhat.com/browse/OCPBUGS-16412"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-16742",
        "url": "https://issues.redhat.com/browse/OCPBUGS-16742"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-17037",
        "url": "https://issues.redhat.com/browse/OCPBUGS-17037"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-17382",
        "url": "https://issues.redhat.com/browse/OCPBUGS-17382"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-17699",
        "url": "https://issues.redhat.com/browse/OCPBUGS-17699"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-18867",
        "url": "https://issues.redhat.com/browse/OCPBUGS-18867"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-19066",
        "url": "https://issues.redhat.com/browse/OCPBUGS-19066"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-19349",
        "url": "https://issues.redhat.com/browse/OCPBUGS-19349"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-19637",
        "url": "https://issues.redhat.com/browse/OCPBUGS-19637"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-19954",
        "url": "https://issues.redhat.com/browse/OCPBUGS-19954"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-19999",
        "url": "https://issues.redhat.com/browse/OCPBUGS-19999"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-20148",
        "url": "https://issues.redhat.com/browse/OCPBUGS-20148"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-20423",
        "url": "https://issues.redhat.com/browse/OCPBUGS-20423"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-22223",
        "url": "https://issues.redhat.com/browse/OCPBUGS-22223"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-9413",
        "url": "https://issues.redhat.com/browse/OCPBUGS-9413"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6143.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Container Platform 4.14.0 CNF vRAN extras security update",
    "tracking": {
      "current_release_date": "2026-04-12T07:38:08+00:00",
      "generator": {
        "date": "2026-04-12T07:38:08+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2023:6143",
      "initial_release_date": "2023-10-26T16:29:51+00:00",
      "revision_history": [
        {
          "date": "2023-10-26T16:29:51+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-10-26T16:29:51+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-12T07:38:08+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Container Platform 4.14",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.14",
                  "product_id": "8Base-RHOSE-4.14",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:4.14::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
                "product": {
                  "name": "openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
                  "product_id": "openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/bare-metal-event-relay-operator-bundle\u0026tag=v4.14.0-49"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
                "product": {
                  "name": "openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
                  "product_id": "openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/bare-metal-event-relay-rhel8-operator\u0026tag=v4.14.0-27"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
                "product": {
                  "name": "openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
                  "product_id": "openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/baremetal-hardware-event-proxy-rhel8\u0026tag=v4.14.0-23"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
                "product": {
                  "name": "openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
                  "product_id": "openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/topology-aware-lifecycle-manager-operator-bundle\u0026tag=v4.14.0-92"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
                "product": {
                  "name": "openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
                  "product_id": "openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/topology-aware-lifecycle-manager-rhel8-operator\u0026tag=v4.14.0-68"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
                "product": {
                  "name": "openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
                  "product_id": "openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/topology-aware-lifecycle-manager-precache-rhel8\u0026tag=v4.14.0-61"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
                "product": {
                  "name": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
                  "product_id": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/topology-aware-lifecycle-manager-recovery-rhel8\u0026tag=v4.14.0-61"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64",
                "product": {
                  "name": "openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64",
                  "product_id": "openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ztp-site-generate-rhel8\u0026tag=v4.14.0-71"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64"
        },
        "product_reference": "openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64"
        },
        "product_reference": "openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64"
        },
        "product_reference": "openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64"
        },
        "product_reference": "openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64"
        },
        "product_reference": "openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64"
        },
        "product_reference": "openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64"
        },
        "product_reference": "openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64 as a component of Red Hat OpenShift Container Platform 4.14",
          "product_id": "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
        },
        "product_reference": "openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64",
        "relates_to_product_reference": "8Base-RHOSE-4.14"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-30841",
      "discovery_date": "2023-04-27T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
            "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
            "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2190116"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store `.htpasswd` files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster or access to the management cluster\u0027s etcd storage.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
          "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
          "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
          "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-30841"
        },
        {
          "category": "external",
          "summary": "RHBZ#2190116",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2190116"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-30841",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-30841"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-30841",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30841"
        },
        {
          "category": "external",
          "summary": "https://github.com/metal3-io/baremetal-operator/pull/1241",
          "url": "https://github.com/metal3-io/baremetal-operator/pull/1241"
        },
        {
          "category": "external",
          "summary": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m",
          "url": "https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-9wh7-397j-722m"
        }
      ],
      "release_date": "2023-04-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-26T16:29:51+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6143"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
            "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
            "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access"
    },
    {
      "cve": "CVE-2023-39325",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-10T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
            "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
            "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2243296"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nAs go-lang vendors its dependencies, a package may contain a library with a known vulnerability, solely because of lower tier libraries including it as a part of its dependencies, but the vulnerable code is not reachable at runtime. In such cases the issue is not exploitable. We classify these situations as \u201cNot affected\u201d or \u201cWill not fix,\u201d depending on the risk of breaking other unrelated packages.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
          "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
          "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
          "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "RHBZ#2243296",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/63417",
          "url": "https://go.dev/issue/63417"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-26T16:29:51+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6143"
        },
        {
          "category": "workaround",
          "details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
            "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
            "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7_amd64",
            "8Base-RHOSE-4.14:openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4_amd64",
            "8Base-RHOSE-4.14:openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931_amd64",
            "8Base-RHOSE-4.14:openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803_amd64",
            "8Base-RHOSE-4.14:openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
    }
  ]
}

CVE-2023-30841 (GCVE-0-2023-30841)

Vulnerability from cvelistv5 – Published: 2023-04-26 18:24 – Updated: 2025-01-30 21:30

Title

Ironic and ironic-inspector deployed within Baremetal Operator may expose as ConfigMaps

Summary

Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.

Severity ?

6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	metal3-io	baremetal-operator	Affected: < 0.3.0

CVE-2023-39325 (GCVE-0-2023-39325)

Vulnerability from cvelistv5 – Published: 2023-10-11 21:15 – Updated: 2025-02-13 17:02

Title

HTTP/2 rapid reset can cause excessive work in net/http

Summary

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Severity ?

No CVSS data available.

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/issue/63417
	https://go.dev/cl/534215
	https://go.dev/cl/534235
	https://groups.google.com/g/golang-announce/c/iNN…
	https://pkg.go.dev/vuln/GO-2023-2102
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://security.netapp.com/advisory/ntap-2023111…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://security.gentoo.org/glsa/202311-09
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

Vendor

Product

Version

Go standard library

net/http

Affected: 0 , < 1.20.10 (semver)
Affected: 1.21.0-0 , < 1.21.3 (semver)

golang.org/x/net

golang.org/x/net/http2

Affected: 0 , < 0.17.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.746Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/63417"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/534215"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/534235"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-2102"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "http2serverConn.serve"
            },
            {
              "name": "http2serverConn.processHeaders"
            },
            {
              "name": "http2serverConn.upgradeRequest"
            },
            {
              "name": "http2serverConn.runHandler"
            },
            {
              "name": "ListenAndServe"
            },
            {
              "name": "ListenAndServeTLS"
            },
            {
              "name": "Serve"
            },
            {
              "name": "ServeTLS"
            },
            {
              "name": "Server.ListenAndServe"
            },
            {
              "name": "Server.ListenAndServeTLS"
            },
            {
              "name": "Server.Serve"
            },
            {
              "name": "Server.ServeTLS"
            },
            {
              "name": "http2Server.ServeConn"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.20.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.21.3",
              "status": "affected",
              "version": "1.21.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "serverConn.serve"
            },
            {
              "name": "serverConn.processHeaders"
            },
            {
              "name": "serverConn.upgradeRequest"
            },
            {
              "name": "serverConn.runHandler"
            },
            {
              "name": "Server.ServeConn"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-28T04:05:57.980Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/63417"
        },
        {
          "url": "https://go.dev/cl/534215"
        },
        {
          "url": "https://go.dev/cl/534235"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
        }
      ],
      "title": "HTTP/2 rapid reset can cause excessive work in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-39325",
    "datePublished": "2023-10-11T21:15:02.727Z",
    "dateReserved": "2023-07-27T17:05:55.188Z",
    "dateUpdated": "2025-02-13T17:02:50.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2023:6143

CVE-2023-30841 (GCVE-0-2023-30841)

CVE-2023-39325 (GCVE-0-2023-39325)

Tags

Sightings

Nomenclature