csaf_redhat - rhsa-2023

rhsa-2023_7222

Vulnerability from csaf_redhat

Published

2023-11-15 01:25

Modified

2024-11-14 00:15

Summary

Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.2 security and bug fix update

Notes

Topic

The Migration Toolkit for Containers (MTC) 1.8.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es) from Bugzilla: * nodejs-semver: Regular expression denial of service (CVE-2022-25883) * tough-cookie: prototype pollution in cookie memstore (CVE-2023-26136) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The Migration Toolkit for Containers (MTC) 1.8.2 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es) from Bugzilla:\n\n* nodejs-semver: Regular expression denial of service (CVE-2022-25883)\n\n* tough-cookie: prototype pollution in cookie memstore (CVE-2023-26136)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:7222",
        "url": "https://access.redhat.com/errata/RHSA-2023:7222"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2216475",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216475"
      },
      {
        "category": "external",
        "summary": "2219310",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219310"
      },
      {
        "category": "external",
        "summary": "2246122",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246122"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7222.json"
      }
    ],
    "title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.2 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-14T00:15:50+00:00",
      "generator": {
        "date": "2024-11-14T00:15:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHSA-2023:7222",
      "initial_release_date": "2023-11-15T01:25:46+00:00",
      "revision_history": [
        {
          "date": "2023-11-15T01:25:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-15T01:25:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T00:15:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "8Base-RHMTC-1.8",
                "product": {
                  "name": "8Base-RHMTC-1.8",
                  "product_id": "8Base-RHMTC-1.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhmt:1.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Migration Toolkit"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                  "product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                  "product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                  "product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                  "product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                  "product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                  "product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                  "product_id": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.8.2-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                  "product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                  "product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                  "product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                  "product_id": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-25883",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2023-06-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2216475"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the \u0027new Range\u0027 function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs-semver: Regular expression denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Advanced Cluster Management for Kubernetes-2 and Red Hat Advanced Cluster Security-3 has been marked as Low severity because node-semver is a Dev dependency for those, used only during the build process, and not used in customer environments.\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the server-regexp dependency is protected by OAuth what is reducing impact by this flaw to Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        ],
        "known_not_affected": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "RHBZ#2216475",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216475"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795",
          "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
        }
      ],
      "release_date": "2023-06-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-15T01:25:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7222"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "nodejs-semver: Regular expression denial of service"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Kokorin Vsevolod"
          ]
        }
      ],
      "cve": "CVE-2023-26136",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2023-07-03T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2219310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the tough-cookie package which allows Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tough-cookie: prototype pollution in cookie memstore",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        ],
        "known_not_affected": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "RHBZ#2219310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26136",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e",
          "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/issues/282",
          "url": "https://github.com/salesforce/tough-cookie/issues/282"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3",
          "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"
        },
        {
          "category": "external",
          "summary": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html",
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873",
          "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"
        }
      ],
      "release_date": "2023-07-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-15T01:25:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7222"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tough-cookie: prototype pollution in cookie memstore"
    }
  ]
}

cve-2023-26136

Vulnerability from cvelistv5

Published

2023-07-01 05:00

Modified

2024-08-02 11:39

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P

Summary

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

References

▼	URL	Tags
	https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
	https://github.com/salesforce/tough-cookie/issues/282
	https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e
	https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3
	https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
	https://security.netapp.com/advisory/ntap-20240621-0006/

Impacted products

▼	Vendor	Product
	n/a	tough-cookie

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:39:06.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/salesforce/tough-cookie/issues/282"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tough-cookie",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "4.1.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kokorin Vsevolod"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "Prototype Pollution",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-01T05:00:01.115Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"
        },
        {
          "url": "https://github.com/salesforce/tough-cookie/issues/282"
        },
        {
          "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"
        },
        {
          "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2023-26136",
    "datePublished": "2023-07-01T05:00:01.115Z",
    "dateReserved": "2023-02-20T10:28:48.926Z",
    "dateUpdated": "2024-08-02T11:39:06.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-25883

Vulnerability from cvelistv5

Published

2023-06-21 05:00

Modified

2024-10-25 13:07

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

Summary

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

References

▼	URL	Tags
	https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
	https://github.com/npm/node-semver/blob/main/internal/re.js%23L160
	https://github.com/npm/node-semver/blob/main/internal/re.js%23L138
	https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104
	https://github.com/npm/node-semver/pull/564
	https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Impacted products

▼	Vendor	Product
	n/a	semver

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-10-25T13:07:28.542Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-semver/pull/564"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241025-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "semver",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "7.5.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Alessio Della Libera - Snyk Research Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\r\r\r"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "Regular Expression Denial of Service (ReDoS)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-21T05:00:03.352Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
        },
        {
          "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
        },
        {
          "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
        },
        {
          "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
        },
        {
          "url": "https://github.com/npm/node-semver/pull/564"
        },
        {
          "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-25883",
    "datePublished": "2023-06-21T05:00:03.352Z",
    "dateReserved": "2022-02-24T11:58:25.192Z",
    "dateUpdated": "2024-10-25T13:07:28.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2023_7222

Vulnerability from csaf_redhat

cve-2023-26136

Vulnerability from cvelistv5

cve-2022-25883

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature