rhsa-2024_9884
Vulnerability from csaf_redhat
Published
2024-11-18 14:52
Modified
2024-12-18 04:40
Summary
Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.0
Notes
Topic
Red Hat Trusted Profile Analyzer 1.2.0 release Red Hat Product Security has rated this update as having a security impact of Moderate
Details
Red Hat Trusted Profile Analyzer 1.2.0
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat Trusted Profile Analyzer 1.2.0 release Red Hat Product Security has rated this update as having a security impact of Moderate", "title": "Topic" }, { "category": "general", "text": "Red Hat Trusted Profile Analyzer 1.2.0", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:9884", "url": "https://access.redhat.com/errata/RHSA-2024:9884" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1713", "url": "https://issues.redhat.com/browse/TC-1713" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1721", "url": "https://issues.redhat.com/browse/TC-1721" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1757", "url": "https://issues.redhat.com/browse/TC-1757" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1769", "url": "https://issues.redhat.com/browse/TC-1769" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1770", "url": "https://issues.redhat.com/browse/TC-1770" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1799", "url": "https://issues.redhat.com/browse/TC-1799" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1800", "url": "https://issues.redhat.com/browse/TC-1800" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1801", "url": "https://issues.redhat.com/browse/TC-1801" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1810", "url": "https://issues.redhat.com/browse/TC-1810" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1815", "url": "https://issues.redhat.com/browse/TC-1815" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1817", "url": "https://issues.redhat.com/browse/TC-1817" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1818", "url": "https://issues.redhat.com/browse/TC-1818" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1841", "url": "https://issues.redhat.com/browse/TC-1841" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1842", "url": "https://issues.redhat.com/browse/TC-1842" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1846", "url": "https://issues.redhat.com/browse/TC-1846" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1847", "url": "https://issues.redhat.com/browse/TC-1847" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1855", "url": "https://issues.redhat.com/browse/TC-1855" }, { "category": "external", "summary": "https://issues.redhat.com/browse/TC-1857", "url": "https://issues.redhat.com/browse/TC-1857" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310908" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2/html/release_notes/index", "url": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2/html/release_notes/index" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9884.json" } ], "title": "Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.0", "tracking": { "current_release_date": "2024-12-18T04:40:20+00:00", "generator": { "date": "2024-12-18T04:40:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2024:9884", "initial_release_date": "2024-11-18T14:52:00+00:00", "revision_history": [ { "date": "2024-11-18T14:52:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-11-18T14:52:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-18T04:40:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Trusted Profile Analyzer 1.2", "product": { "name": "Red Hat Trusted Profile Analyzer 1.2", "product_id": "Red Hat Trusted Profile Analyzer 1.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9" } } } ], "category": "product_family", "name": "Red Hat Trusted Profile Analyzer" }, { "branches": [ { "category": "product_version", "name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64", "product": { "name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64", "product_id": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64", "product_identification_helper": { "purl": "pkg:oci/rhtpa-trustification-service-rhel9@sha256%3Ac1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464?arch=amd64\u0026repository_url=registry.redhat.io/rhtpa\u0026tag=1.2.0-1730813392" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64 as a component of Red Hat Trusted Profile Analyzer 1.2", "product_id": "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" }, "product_reference": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64", "relates_to_product_reference": "Red Hat Trusted Profile Analyzer 1.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-45296", "cwe": { "id": "CWE-1333", "name": "Inefficient Regular Expression Complexity" }, "discovery_date": "2024-09-09T19:20:18.127723+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2310908" } ], "notes": [ { "category": "description", "text": "A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "path-to-regexp: Backtracking regular expressions cause ReDoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-45296" }, { "category": "external", "summary": "RHBZ#2310908", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310908" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45296", "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296" }, { "category": "external", "summary": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", "url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f" }, { "category": "external", "summary": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", "url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6" }, { "category": "external", "summary": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j" } ], "release_date": "2024-09-09T19:15:13.330000+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-18T14:52:00+00:00", "details": "It is recommended that existing users of RHTPA 1.1.2 upgrade to 1.2.0. There are significant changes to the data model. A migration utility is available to allow users to migrate from version 1.1.2 to 1.2.0. For more information please refer to the Release Notes.", "product_ids": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:9884" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "path-to-regexp: Backtracking regular expressions cause ReDoS" }, { "cve": "CVE-2024-45590", "cwe": { "id": "CWE-405", "name": "Asymmetric Resource Consumption (Amplification)" }, "discovery_date": "2024-09-10T16:20:29.292154+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2311171" } ], "notes": [ { "category": "description", "text": "A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.", "title": "Vulnerability description" }, { "category": "summary", "text": "body-parser: Denial of Service Vulnerability in body-parser", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-45590" }, { "category": "external", "summary": "RHBZ#2311171", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311171" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45590", "url": "https://www.cve.org/CVERecord?id=CVE-2024-45590" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590" }, { "category": "external", "summary": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce" }, { "category": "external", "summary": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7" } ], "release_date": "2024-09-10T16:15:21.083000+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-11-18T14:52:00+00:00", "details": "It is recommended that existing users of RHTPA 1.1.2 upgrade to 1.2.0. There are significant changes to the data model. A migration utility is available to allow users to migrate from version 1.1.2 to 1.2.0. For more information please refer to the Release Notes.", "product_ids": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:9884" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:c1a20911cb6cc59707f517f6203c2f8cb26644ee25dd0ed967393c5f57194464_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "body-parser: Denial of Service Vulnerability in body-parser" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.