rhsa-2023_7222
Vulnerability from csaf_redhat
Published
2023-11-15 01:25
Modified
2024-11-06 04:20
Summary
Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.2 security and bug fix update

Notes

Topic
The Migration Toolkit for Containers (MTC) 1.8.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es) from Bugzilla: * nodejs-semver: Regular expression denial of service (CVE-2022-25883) * tough-cookie: prototype pollution in cookie memstore (CVE-2023-26136) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The Migration Toolkit for Containers (MTC) 1.8.2 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es) from Bugzilla:\n\n* nodejs-semver: Regular expression denial of service (CVE-2022-25883)\n\n* tough-cookie: prototype pollution in cookie memstore (CVE-2023-26136)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:7222",
        "url": "https://access.redhat.com/errata/RHSA-2023:7222"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2216475",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216475"
      },
      {
        "category": "external",
        "summary": "2219310",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219310"
      },
      {
        "category": "external",
        "summary": "2246122",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246122"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7222.json"
      }
    ],
    "title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.2 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-06T04:20:01+00:00",
      "generator": {
        "date": "2024-11-06T04:20:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2023:7222",
      "initial_release_date": "2023-11-15T01:25:46+00:00",
      "revision_history": [
        {
          "date": "2023-11-15T01:25:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-15T01:25:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T04:20:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "8Base-RHMTC-1.8",
                "product": {
                  "name": "8Base-RHMTC-1.8",
                  "product_id": "8Base-RHMTC-1.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhmt:1.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Migration Toolkit"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                  "product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                  "product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                  "product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                  "product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                  "product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                  "product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                  "product_id": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.8.2-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                  "product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                  "product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                  "product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.8.2-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                  "product_id": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8\u0026tag=v1.8.2-1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-25883",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2023-06-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2216475"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the \u0027new Range\u0027 function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs-semver: Regular expression denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Advanced Cluster Management for Kubernetes-2 and Red Hat Advanced Cluster Security-3 has been marked as Low severity because node-semver is a Dev dependency for those, used only during the build process, and not used in customer environments.\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the server-regexp dependency is protected by OAuth what is reducing impact by this flaw to Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        ],
        "known_not_affected": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "RHBZ#2216475",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216475"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
          "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795",
          "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
        }
      ],
      "release_date": "2023-06-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-15T01:25:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7222"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "nodejs-semver: Regular expression denial of service"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Kokorin Vsevolod"
          ]
        }
      ],
      "cve": "CVE-2023-26136",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2023-07-03T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2219310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the tough-cookie package which allows Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tough-cookie: prototype pollution in cookie memstore",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
        ],
        "known_not_affected": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:4e6233e51dbc216a28ef991f3b302e0a069736274d38ef4ff2109c04ae5e3f49_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:73db4beeb2199823cfa10095b6c4826bfaf8105eb907f0306b775c497f3f6d74_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:8f4dc5fc5556e6483530c5c0e6c229982f817a4cc93cb222aa031aa7c7019b68_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:288df06c12dafcfe99e597010f5c43104a1b06ea1467bcc998e7fc7cb40a2c70_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:63330daa85a555d601379a72f68ef2f0fe17ff02c2e9b6ade86015e00bfafefe_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:c3a3adbca1dc38f75cbf940d26db533f7733f573bfb95ce0f5bb9e140d5bfe63_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:1ccaffa6fd0efe47ec779366fc7c615f24df8749555c41fbbcca4b044ad39269_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:c64c103aa239ef04954214ca7ae9e6eb234cae7e716902e1d695a5220ff8316c_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:80a6ac89439aef756037127b460fee129016846464e8327db6d30d9da912e4ec_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9c1b54b7cf7117800228d737b20ed08c0a1f81e4b27dfad29819497a2bca9dbb_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "RHBZ#2219310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26136",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e",
          "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/issues/282",
          "url": "https://github.com/salesforce/tough-cookie/issues/282"
        },
        {
          "category": "external",
          "summary": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3",
          "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3"
        },
        {
          "category": "external",
          "summary": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html",
          "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873",
          "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873"
        }
      ],
      "release_date": "2023-07-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-15T01:25:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7222"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:55b9b7db18dde0134a454b4b8adc66c1dbd94d426756c0732c39cf053cb9d42e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tough-cookie: prototype pollution in cookie memstore"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.