rhsa-2024_3316
Vulnerability from csaf_redhat
Published
2024-05-23 06:39
Modified
2024-09-18 22:49
Summary
Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update
Notes
Topic
Migration Toolkit for Applications 7.0.3 release
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
Migration Toolkit for Applications 7.0.3 Images
Security Fix(es) from Bugzilla:
* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
* webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
* axios: exposure of confidential data stored in cookies (CVE-2023-45857)
* css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
* go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2 (CVE-2023-45286)
* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)
* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
* css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
* follow-redirects: Possible credential leak (CVE-2024-28849)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Migration Toolkit for Applications 7.0.3 release\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Applications 7.0.3 Images\n\nSecurity Fix(es) from Bugzilla:\n\n* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)\n\n* webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)\n\n* axios: exposure of confidential data stored in cookies (CVE-2023-45857)\n\n* css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)\n\n* go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2 (CVE-2023-45286)\n\n* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)\n\n* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)\n\n* css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)\n\n* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)\n\n* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)\n\n* follow-redirects: Possible credential leak (CVE-2024-28849)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:3316",
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2248979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248979"
},
{
"category": "external",
"summary": "2250364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250364"
},
{
"category": "external",
"summary": "2252012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252012"
},
{
"category": "external",
"summary": "2253193",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253193"
},
{
"category": "external",
"summary": "2253330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
},
{
"category": "external",
"summary": "2254559",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254559"
},
{
"category": "external",
"summary": "2256413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"
},
{
"category": "external",
"summary": "2268046",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268046"
},
{
"category": "external",
"summary": "2268273",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
},
{
"category": "external",
"summary": "2269576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269576"
},
{
"category": "external",
"summary": "2270863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270863"
},
{
"category": "external",
"summary": "MTA-1578",
"url": "https://issues.redhat.com/browse/MTA-1578"
},
{
"category": "external",
"summary": "MTA-1959",
"url": "https://issues.redhat.com/browse/MTA-1959"
},
{
"category": "external",
"summary": "MTA-1961",
"url": "https://issues.redhat.com/browse/MTA-1961"
},
{
"category": "external",
"summary": "MTA-1970",
"url": "https://issues.redhat.com/browse/MTA-1970"
},
{
"category": "external",
"summary": "MTA-1997",
"url": "https://issues.redhat.com/browse/MTA-1997"
},
{
"category": "external",
"summary": "MTA-2003",
"url": "https://issues.redhat.com/browse/MTA-2003"
},
{
"category": "external",
"summary": "MTA-2117",
"url": "https://issues.redhat.com/browse/MTA-2117"
},
{
"category": "external",
"summary": "MTA-2186",
"url": "https://issues.redhat.com/browse/MTA-2186"
},
{
"category": "external",
"summary": "MTA-2224",
"url": "https://issues.redhat.com/browse/MTA-2224"
},
{
"category": "external",
"summary": "MTA-2243",
"url": "https://issues.redhat.com/browse/MTA-2243"
},
{
"category": "external",
"summary": "MTA-2287",
"url": "https://issues.redhat.com/browse/MTA-2287"
},
{
"category": "external",
"summary": "MTA-2308",
"url": "https://issues.redhat.com/browse/MTA-2308"
},
{
"category": "external",
"summary": "MTA-2314",
"url": "https://issues.redhat.com/browse/MTA-2314"
},
{
"category": "external",
"summary": "MTA-2341",
"url": "https://issues.redhat.com/browse/MTA-2341"
},
{
"category": "external",
"summary": "MTA-2380",
"url": "https://issues.redhat.com/browse/MTA-2380"
},
{
"category": "external",
"summary": "MTA-2400",
"url": "https://issues.redhat.com/browse/MTA-2400"
},
{
"category": "external",
"summary": "MTA-2409",
"url": "https://issues.redhat.com/browse/MTA-2409"
},
{
"category": "external",
"summary": "MTA-2410",
"url": "https://issues.redhat.com/browse/MTA-2410"
},
{
"category": "external",
"summary": "MTA-2426",
"url": "https://issues.redhat.com/browse/MTA-2426"
},
{
"category": "external",
"summary": "MTA-2427",
"url": "https://issues.redhat.com/browse/MTA-2427"
},
{
"category": "external",
"summary": "MTA-2451",
"url": "https://issues.redhat.com/browse/MTA-2451"
},
{
"category": "external",
"summary": "MTA-2452",
"url": "https://issues.redhat.com/browse/MTA-2452"
},
{
"category": "external",
"summary": "MTA-2495",
"url": "https://issues.redhat.com/browse/MTA-2495"
},
{
"category": "external",
"summary": "MTA-2503",
"url": "https://issues.redhat.com/browse/MTA-2503"
},
{
"category": "external",
"summary": "MTA-2505",
"url": "https://issues.redhat.com/browse/MTA-2505"
},
{
"category": "external",
"summary": "MTA-2512",
"url": "https://issues.redhat.com/browse/MTA-2512"
},
{
"category": "external",
"summary": "MTA-2513",
"url": "https://issues.redhat.com/browse/MTA-2513"
},
{
"category": "external",
"summary": "MTA-2518",
"url": "https://issues.redhat.com/browse/MTA-2518"
},
{
"category": "external",
"summary": "MTA-2550",
"url": "https://issues.redhat.com/browse/MTA-2550"
},
{
"category": "external",
"summary": "MTA-2560",
"url": "https://issues.redhat.com/browse/MTA-2560"
},
{
"category": "external",
"summary": "MTA-2563",
"url": "https://issues.redhat.com/browse/MTA-2563"
},
{
"category": "external",
"summary": "MTA-2616",
"url": "https://issues.redhat.com/browse/MTA-2616"
},
{
"category": "external",
"summary": "MTA-2652",
"url": "https://issues.redhat.com/browse/MTA-2652"
},
{
"category": "external",
"summary": "MTA-2654",
"url": "https://issues.redhat.com/browse/MTA-2654"
},
{
"category": "external",
"summary": "MTA-2661",
"url": "https://issues.redhat.com/browse/MTA-2661"
},
{
"category": "external",
"summary": "MTA-2681",
"url": "https://issues.redhat.com/browse/MTA-2681"
},
{
"category": "external",
"summary": "MTA-2781",
"url": "https://issues.redhat.com/browse/MTA-2781"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3316.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update",
"tracking": {
"current_release_date": "2024-09-18T22:49:26+00:00",
"generator": {
"date": "2024-09-18T22:49:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2024:3316",
"initial_release_date": "2024-05-23T06:39:32+00:00",
"revision_history": [
{
"date": "2024-05-23T06:39:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-05-23T06:39:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-18T22:49:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "MTA 7.0 for RHEL 9",
"product": {
"name": "MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el9"
}
}
},
{
"category": "product_name",
"name": "MTA 7.0 for RHEL 8",
"product": {
"name": "MTA 7.0 for RHEL 8",
"product_id": "8Base-MTA-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:7.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Applications"
},
{
"branches": [
{
"category": "product_version",
"name": "mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"product": {
"name": "mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"product_id": "mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-analyzer-addon-rhel9\u0026tag=7.0.3-13"
}
}
},
{
"category": "product_version",
"name": "mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"product": {
"name": "mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"product_id": "mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-analyzer-lsp-rhel9\u0026tag=7.0.3-13"
}
}
},
{
"category": "product_version",
"name": "mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"product": {
"name": "mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"product_id": "mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-cli-rhel9\u0026tag=7.0.3-16"
}
}
},
{
"category": "product_version",
"name": "mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"product": {
"name": "mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"product_id": "mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-hub-rhel9\u0026tag=7.0.3-10"
}
}
},
{
"category": "product_version",
"name": "mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"product": {
"name": "mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"product_id": "mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-operator-bundle\u0026tag=7.0.3-25"
}
}
},
{
"category": "product_version",
"name": "mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"product": {
"name": "mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"product_id": "mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-rhel8-operator\u0026tag=7.0.3-7"
}
}
},
{
"category": "product_version",
"name": "mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"product": {
"name": "mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"product_id": "mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-ui-rhel9\u0026tag=7.0.3-13"
}
}
},
{
"category": "product_version",
"name": "mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64",
"product": {
"name": "mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64",
"product_id": "mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-windup-shim-rhel9\u0026tag=7.0.3-12"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"product": {
"name": "mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"product_id": "mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc?arch=arm64\u0026repository_url=registry.redhat.io/mta/mta-analyzer-lsp-rhel9\u0026tag=7.0.3-13"
}
}
},
{
"category": "product_version",
"name": "mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"product": {
"name": "mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"product_id": "mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99?arch=arm64\u0026repository_url=registry.redhat.io/mta/mta-cli-rhel9\u0026tag=7.0.3-16"
}
}
},
{
"category": "product_version",
"name": "mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"product": {
"name": "mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"product_id": "mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092?arch=arm64\u0026repository_url=registry.redhat.io/mta/mta-windup-shim-rhel9\u0026tag=7.0.3-12"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64 as a component of MTA 7.0 for RHEL 8",
"product_id": "8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64"
},
"product_reference": "mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"relates_to_product_reference": "8Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64"
},
"product_reference": "mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64"
},
"product_reference": "mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64"
},
"product_reference": "mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64"
},
"product_reference": "mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
},
"product_reference": "mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64"
},
"product_reference": "mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64"
},
"product_reference": "mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
},
"product_reference": "mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64"
},
"product_reference": "mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"relates_to_product_reference": "9Base-MTA-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64 as a component of MTA 7.0 for RHEL 9",
"product_id": "9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
},
"product_reference": "mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64",
"relates_to_product_reference": "9Base-MTA-7.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26159",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-01-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2256413"
}
],
"notes": [
{
"category": "description",
"text": "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26159"
},
{
"category": "external",
"summary": "RHBZ#2256413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159"
}
],
"release_date": "2024-01-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()"
},
{
"cve": "CVE-2023-26364",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-11-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2250364"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Adobe CSS Tools. An improper input validation could result in a minor denial of service while parsing a malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "css-tools: Improper Input Validation causes Denial of Service via Regular Expression",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26364"
},
{
"category": "external",
"summary": "RHBZ#2250364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26364"
},
{
"category": "external",
"summary": "https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg",
"url": "https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg"
}
],
"release_date": "2023-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "No mitigation is yet available for this vulnerability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "css-tools: Improper Input Validation causes Denial of Service via Regular Expression"
},
{
"cve": "CVE-2023-39326",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-12-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253330"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39326"
},
{
"category": "external",
"summary": "RHBZ#2253330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39326",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39326"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2382",
"url": "https://pkg.go.dev/vuln/GO-2023-2382"
}
],
"release_date": "2023-12-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "No mitigation is available for this flaw.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests"
},
{
"cve": "CVE-2023-45286",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2023-11-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2252012"
}
],
"notes": [
{
"category": "description",
"text": "A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn\u0027t had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45286"
},
{
"category": "external",
"summary": "RHBZ#2252012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252012"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45286"
}
],
"release_date": "2023-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2"
},
{
"cve": "CVE-2023-45287",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2023-12-05T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253193"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Golang crypto/tls standard library. In previous versions, the package was vulnerable to a Timing Side Channel attack by observing the time it took for RSA-based TLS key exchanges, which was not constant. This flaw allows a malicious user to gather information from the environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The identified flaw in the Golang crypto/tls library, is assessed as a moderate severity issue rather than important due to several mitigating factors. Although the vulnerability exposes a Timing Side Channel, potentially allowing information retrieval through RSA-based TLS key exchanges, its exploitation demands significant access and expertise. Additionally, while earlier versions implemented RSA blinding to counter timing attacks, the removal of PKCS#1 padding may still leak timing data. However, the practicality of exploiting this flaw is limited, and the transition to a fully constant time RSA implementation in Go 1.20 significantly bolsters security, reducing the risk posed by timing side channels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45287"
},
{
"category": "external",
"summary": "RHBZ#2253193",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253193"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45287",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45287"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45287"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2375",
"url": "https://pkg.go.dev/vuln/GO-2023-2375"
}
],
"release_date": "2023-12-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "No current mitigation is available for this vulnerability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges."
},
{
"acknowledgments": [
{
"names": [
"Bartek Nowotarski"
],
"organization": "nowotarski.info"
}
],
"cve": "CVE-2023-45288",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268273"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates the security impact of this vulnerability as Important due to the worst case scenario resulting in a denial of service. It is simple to exploit, could significantly impact availability, and there is not a suitable mitigation for all use cases. Once an attack has ended, the system should return to normal operations on its own.\n\nThis vulnerability only impacts servers which have HTTP/2 enabled. It stems from an imperfect definition of the protocol. As the Go programming language is widely utilized across nearly every major Red Hat offering, a full listing of impacted packages will not be provided. Therefore, the \u201cAffected Packages and Issued Red Hat Security Errata\u201d section contains a simplified list of what offerings need to remediate this vulnerability. Every impacted offering has at least one representative component listed, but potentially not all of them. Rest assured that Red Hat is committed to remediating this vulnerability across our entire portfolio.\n\nMany components are rated as Low impact due to configurations which reduce the attack surface or significantly increase the difficulty of exploitation. A summary of these scenarios are:\n* The container includes a package that provides a vulnerable webserver, but it is not used or running during operation\n* HTTP/2 is disabled by default and is not supported\n* Only a client implementation is provided, which is not vulnerable\n* A vulnerable module (either golang.org/net/http or golang.org/x/net/http2) is included, but disabled\n* Access to a vulnerable server is restricted within the container (loopback only connections)\n* Golang is available in the container but is not used\n\n\nWithin the Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible. This means an attacker must already have access to a container within your environment to exploit this vulnerability. However, the ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible, so there are less barriers to exploitation. Fixes for this specific container are already available.\n\nWithin Red Hat Ansible Automation Platform, the impacted component is Receptor. The impact has been reduced to Low as the vulnerable code is present, but not utilized. There are three potential exposures within this component:\n* Receptor utilizes QUIC a UDP based protocol which does not run over HTTP/2\n* Receptor utilizes the x/net/ipv4 and ipv6 packages, both of which are not affected",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "RHBZ#2268273",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nowotarski.info/http2-continuation-flood/",
"url": "https://nowotarski.info/http2-continuation-flood/"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2687",
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"category": "external",
"summary": "https://www.kb.cert.org/vuls/id/421644",
"url": "https://www.kb.cert.org/vuls/id/421644"
}
],
"release_date": "2024-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "In some environments where http/2 support is not required, it may be possible to disable this feature to reduce risk.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS"
},
{
"cve": "CVE-2023-45857",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-11-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2248979"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: exposure of confidential data stored in cookies",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected container was deprecated in ACM 2.5 version which is not anymore supported. Following versions of this product are not impacted by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45857"
},
{
"category": "external",
"summary": "RHBZ#2248979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248979"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45857"
}
],
"release_date": "2023-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: exposure of confidential data stored in cookies"
},
{
"cve": "CVE-2023-48631",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2023-12-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2254559"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe\u0027s css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "css-tools: regular expression denial of service (ReDoS) when parsing CSS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Regular Expression Denial of Service (ReDoS) vulnerability in css-tools, triggered by improper input validation when parsing CSS, is considered of moderate severity. While it can lead to a denial of service by causing the application to become unresponsive, the impact is limited to scenarios where an attacker can provide crafted input. Additionally, the absence of evidence of active exploitation in the wild and contextual factors, such as the software\u0027s usage, contribute to the moderate severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-48631"
},
{
"category": "external",
"summary": "RHBZ#2254559",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254559"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-48631",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48631"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631"
},
{
"category": "external",
"summary": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2",
"url": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2"
}
],
"release_date": "2023-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "css-tools: regular expression denial of service (ReDoS) when parsing CSS"
},
{
"cve": "CVE-2024-24786",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-03-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268046"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang\u0027s protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24786"
},
{
"category": "external",
"summary": "RHBZ#2268046",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268046"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
},
{
"category": "external",
"summary": "https://go.dev/cl/569356",
"url": "https://go.dev/cl/569356"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/",
"url": "https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2611",
"url": "https://pkg.go.dev/vuln/GO-2024-2611"
}
],
"release_date": "2024-03-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON"
},
{
"cve": "CVE-2024-28849",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2024-03-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2269576"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "follow-redirects: Possible credential leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-28849"
},
{
"category": "external",
"summary": "RHBZ#2269576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269576"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28849"
},
{
"category": "external",
"summary": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp",
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"
}
],
"release_date": "2024-03-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "follow-redirects: Possible credential leak"
},
{
"cve": "CVE-2024-29180",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2024-03-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270863"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer\u0027s machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "webpack-dev-middleware: lack of URL validation may lead to file leak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability in webpack-dev represents a important security issue due to its potential to expose sensitive files and compromise developer machines. By failing to validate URLs and normalize paths effectively, the middleware allows attackers to craft malicious requests that can retrieve arbitrary local files or perform unauthorized path traversal. This could lead to unauthorized access to confidential information, including source code, configuration files, and even system-level files. Given the widespread use of webpack-dev-middleware in web development environments, addressing this vulnerability promptly is important to prevent serious data breaches and protect the integrity of development processes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"known_not_affected": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29180"
},
{
"category": "external",
"summary": "RHBZ#2270863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270863"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29180"
},
{
"category": "external",
"summary": "https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6",
"url": "https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6"
}
],
"release_date": "2024-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3316"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-7.0:mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b_amd64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc_arm64",
"9Base-MTA-7.0:mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07_amd64",
"9Base-MTA-7.0:mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2_amd64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092_arm64",
"9Base-MTA-7.0:mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d_amd64",
"9Base-MTA-7.0:mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99_arm64",
"9Base-MTA-7.0:mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "webpack-dev-middleware: lack of URL validation may lead to file leak"
}
]
}
Loading...