csaf_redhat - rhsa-2024

rhsa-2024_1812

Vulnerability from csaf_redhat

Published

2024-04-15 05:44

Modified

2024-09-18 19:45

Summary

Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes

Notes

Topic

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: * custom-metrics-autoscaler-adapter-container * custom-metrics-autoscaler-admission-webhooks-container * custom-metrics-autoscaler-container * custom-metrics-autoscaler-operator-bundle-container * custom-metrics-autoscaler-operator-container Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions. This version makes use of newer tools and libraries to address the following issues: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326) jose-go: improper handling of highly compressed data (CVE-2024-28180) opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108) In addition, the following bug has been fixed: Custom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler) This release is based upon KEDA 2.12.1

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Custom Metrics Autoscaler Operator for Red Hat OpenShift including security\nupdates.\n\nThe following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available:\n\n* custom-metrics-autoscaler-adapter-container\n* custom-metrics-autoscaler-admission-webhooks-container\n* custom-metrics-autoscaler-container\n* custom-metrics-autoscaler-operator-bundle-container\n* custom-metrics-autoscaler-operator-container\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.\n\nThis version makes use of newer tools and libraries to address the following issues:\ngolang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)\njose-go: improper handling of highly compressed data (CVE-2024-28180)\nopentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)\n\nIn addition, the following bug has been fixed:\nCustom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler)\n\nThis release is based upon KEDA 2.12.1",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:1812",
        "url": "https://access.redhat.com/errata/RHSA-2024:1812"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-28180",
        "url": "https://access.redhat.com/security/cve/CVE-2024-28180"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2023-47108",
        "url": "https://access.redhat.com/security/cve/CVE-2023-47108"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2023-39326",
        "url": "https://access.redhat.com/security/cve/CVE-2023-39326"
      },
      {
        "category": "external",
        "summary": "2251198",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251198"
      },
      {
        "category": "external",
        "summary": "2253330",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
      },
      {
        "category": "external",
        "summary": "2268854",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268854"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-25806",
        "url": "https://issues.redhat.com/browse/OCPBUGS-25806"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-30145",
        "url": "https://issues.redhat.com/browse/OCPBUGS-30145"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1812.json"
      }
    ],
    "title": "Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes",
    "tracking": {
      "current_release_date": "2024-09-18T19:45:01+00:00",
      "generator": {
        "date": "2024-09-18T19:45:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2024:1812",
      "initial_release_date": "2024-04-15T05:44:34+00:00",
      "revision_history": [
        {
          "date": "2024-04-15T05:44:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-04-15T05:44:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-18T19:45:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Custom Metrics Autoscaler 2",
                "product": {
                  "name": "OpenShift Custom Metrics Autoscaler 2",
                  "product_id": "8Base-OCMA-2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Custom Metrics Autoscaler"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator\u0026tag=2.12.1-376"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-39326",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-12-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2253330"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "RHBZ#2253330",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39326",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2382",
          "url": "https://pkg.go.dev/vuln/GO-2023-2382"
        }
      ],
      "release_date": "2023-12-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "No mitigation is available for this flaw.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests"
    },
    {
      "cve": "CVE-2023-47108",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2023-11-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2251198"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory exhaustion flaw was found in the otelgrpc handler of open-telemetry. This flaw may allow a remote unauthenticated attacker to flood the peer address and port and exhaust the server\u0027s memory by sending multiple malicious requests, affecting the availability of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While no authentication is required, there are a significant number of non-default factors that prevent widespread exploitation of this issue. To affect a service, all of the following must be true:\n- The go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc package must be in use\n- Configured a metrics pipeline that uses the UnaryServerInterceptor wrapper function\n- No filtering of unknown HTTP methods or user agents at a higher level, such as Content Delivery Network\n\nDue to the limited attack surface, Red Hat Product Security rates the impact of this flaw as Moderate.\n\ncluster-network-operator-container in Openshift Container Platform 4 is rated as low and Won\u0027t Fix as the stats are behind an RBAC proxy and isn\u0027t available to unauthenticated users.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "RHBZ#2251198",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251198"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-47108",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-47108",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
        }
      ],
      "release_date": "2023-11-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "As a workaround, use a view removing the attributes. Another possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics"
    },
    {
      "cve": "CVE-2024-28180",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2024-03-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2268854"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Jose due to improper handling of highly compressed data. This issue could allow an attacker to send a JWE containing compressed data that uses large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jose-go: improper handling of highly compressed data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "RHBZ#2268854",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268854"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28180",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
        }
      ],
      "release_date": "2024-03-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jose-go: improper handling of highly compressed data"
    }
  ]
}

cve-2023-39326

Vulnerability from cvelistv5

Published

2023-12-06 16:27

Modified

2024-08-02 18:02

Severity

Summary

Denial of service via chunk extensions in net/http

References

URL	Tags
https://go.dev/issue/64433
https://go.dev/cl/547335
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/

Impacted products

Vendor	Product
Go standard library	net/http/internal

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/64433"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/547335"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-2382"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http/internal",
          "product": "net/http/internal",
          "programRoutines": [
            {
              "name": "chunkedReader.beginChunk"
            },
            {
              "name": "readChunkLine"
            },
            {
              "name": "chunkedReader.Read"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.20.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.21.5",
              "status": "affected",
              "version": "1.21.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Bartek Nowotarski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-06T16:27:53.832Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/64433"
        },
        {
          "url": "https://go.dev/cl/547335"
        },
        {
          "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-2382"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/"
        }
      ],
      "title": "Denial of service via chunk extensions in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-39326",
    "datePublished": "2023-12-06T16:27:53.832Z",
    "dateReserved": "2023-07-27T17:05:55.188Z",
    "dateUpdated": "2024-08-02T18:02:06.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-47108

Vulnerability from cvelistv5

Published

2023-11-10 18:31

Modified

2024-09-03 17:26

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

References

URL	Tags
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw	x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322	x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b	x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327	x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138	x_refsource_MISC
https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider	x_refsource_MISC

Impacted products

Vendor	Product
open-telemetry	opentelemetry-go-contrib

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:01:22.674Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
          },
          {
            "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-47108",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T17:26:16.403179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T17:26:56.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go-contrib",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.46.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-10T18:31:33.730Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
        },
        {
          "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
        }
      ],
      "source": {
        "advisory": "GHSA-8pgv-569h-w5rw",
        "discovery": "UNKNOWN"
      },
      "title": "DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics "
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-47108",
    "datePublished": "2023-11-10T18:31:33.730Z",
    "dateReserved": "2023-10-30T19:57:51.673Z",
    "dateUpdated": "2024-09-03T17:26:56.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-28180

Vulnerability from cvelistv5

Published

2024-03-09 00:54

Modified

2024-08-28 17:51

Severity

4.3 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Summary

Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)

References

URL	Tags
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g	x_refsource_CONFIRM
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298	x_refsource_MISC
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a	x_refsource_MISC
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/

Impacted products

Vendor	Product
go-jose	go-jose

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.442Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
          },
          {
            "name": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298"
          },
          {
            "name": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a"
          },
          {
            "name": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "go-jose",
            "vendor": "go-jose_project",
            "versions": [
              {
                "lessThan": "4.0.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.0.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.6.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28180",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-11T15:08:38.886435Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T17:51:52.720Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-jose",
          "vendor": "go-jose",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.1"
            },
            {
              "status": "affected",
              "version": "\u003c 3.0.3"
            },
            {
              "status": "affected",
              "version": "\u003c 2.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-09T00:54:46.382Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
        },
        {
          "name": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298"
        },
        {
          "name": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a"
        },
        {
          "name": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/"
        }
      ],
      "source": {
        "advisory": "GHSA-c5q2-7r4c-mv6g",
        "discovery": "UNKNOWN"
      },
      "title": "Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28180",
    "datePublished": "2024-03-09T00:54:46.382Z",
    "dateReserved": "2024-03-06T17:35:00.857Z",
    "dateUpdated": "2024-08-28T17:51:52.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2024_1812

Vulnerability from csaf_redhat

cve-2023-39326

Vulnerability from cvelistv5

cve-2023-47108

Vulnerability from cvelistv5

cve-2024-28180

Vulnerability from cvelistv5

Tags