Vulnerability-Lookup

WID-SEC-W-2026-1367

Vulnerability from csaf_certbund - Published: 2026-05-05 22:00 - Updated: 2026-06-02 22:00

Summary

Red Hat Advanced Cluster Management und Multicluster engine for Kubernetes: Schwachstelle ermöglicht Codeausführung oder DoS

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle Red Hat Advanced Cluster Management und Multicluster engine for Kubernetes ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Linux - Sonstiges

CVE-2026-29063

Affected products

Known affected 10 products

Product	Identifier	Version
Red Hat Enterprise Linux Multicluster engine for Kubernetes v2.11.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:multicluster_engine_for_kubernetes_v2.11.0`	Multicluster engine for Kubernetes v2.11.0
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Red Hat Enterprise Linux Advanced Cluster Management for Kubernetes v2.16.1 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_management_for_kubernetes_v2.16.1`	Advanced Cluster Management for Kubernetes v2.16.1
Red Hat OpenShift Container Platform <4.19.32 Red Hat / OpenShift		Container Platform <4.19.32
Red Hat OpenShift Pipelines <1.20.5 Red Hat / OpenShift		Pipelines <1.20.5
Red Hat OpenShift Container Platform <4.17.54 Red Hat / OpenShift		Container Platform <4.17.54
Red Hat OpenShift Container Platform release 4.21.17 Red Hat / OpenShift	`cpe:/a:redhat:openshift:container_platform_release_4.21.17`	Container Platform release 4.21.17
Red Hat OpenShift Container Platform <4.16.63 Red Hat / OpenShift		Container Platform <4.16.63
IBM DB2 IBM	`cpe:/a:ibm:db2:-`	—

References

16 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2026:13847	external
https://access.redhat.com/errata/RHSA-2026:13853	external
https://access.redhat.com/errata/RHSA-2026:16535	external
https://www.ibm.com/support/pages/node/7273312	external
https://access.redhat.com/errata/RHSA-2026:19410	external
https://access.redhat.com/errata/RHSA-2026:19375	external
https://access.redhat.com/errata/RHSA-2026:19712	external
https://access.redhat.com/errata/RHSA-2026:17598	external
https://access.redhat.com/errata/RHSA-2026:20034	external
https://access.redhat.com/errata/RHSA-2026:20041	external
https://access.redhat.com/errata/RHSA-2026:21931	external
https://access.redhat.com/errata/RHSA-2026:20088	external
https://www.ibm.com/support/pages/node/7274746	external
https://access.redhat.com/errata/RHSA-2026:22465	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle Red Hat Advanced Cluster Management und Multicluster engine for Kubernetes ausnutzen, um beliebigen Programmcode auszuf\u00fchren  oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1367 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1367.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1367 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1367"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13847 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13847"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13853 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13853"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16535 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16535"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7273312 vom 2026-05-18",
        "url": "https://www.ibm.com/support/pages/node/7273312"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19410 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19410"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19375 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19375"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19712 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19712"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17598 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:17598"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20034 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20034"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20041 vom 2026-05-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:20041"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21931 vom 2026-05-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:21931"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20088 vom 2026-05-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:20088"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7274746 vom 2026-06-01",
        "url": "https://www.ibm.com/support/pages/node/7274746"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22465 vom 2026-06-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:22465"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Advanced Cluster Management und Multicluster engine for Kubernetes: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung oder DoS",
    "tracking": {
      "current_release_date": "2026-06-02T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-03T06:13:08.136+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1367",
      "initial_release_date": "2026-05-05T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-05T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-01T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-06-02T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "10"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM DB2",
            "product": {
              "name": "IBM DB2",
              "product_id": "T048379",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:db2:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "IBM QRadar SIEM",
            "product": {
              "name": "IBM QRadar SIEM",
              "product_id": "T021415",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:qradar_siem:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Advanced Cluster Management for Kubernetes v2.16.1",
                "product": {
                  "name": "Red Hat Enterprise Linux Advanced Cluster Management for Kubernetes v2.16.1",
                  "product_id": "T053549",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:advanced_cluster_management_for_kubernetes_v2.16.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Multicluster engine for Kubernetes v2.11.0",
                "product": {
                  "name": "Red Hat Enterprise Linux Multicluster engine for Kubernetes v2.11.0",
                  "product_id": "T053550",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:multicluster_engine_for_kubernetes_v2.11.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Container Platform \u003c4.17.54",
                "product": {
                  "name": "Red Hat OpenShift Container Platform \u003c4.17.54",
                  "product_id": "T054403"
                }
              },
              {
                "category": "product_version",
                "name": "Container Platform 4.17.54",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.17.54",
                  "product_id": "T054403-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:container_platform__4.17.54"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Container Platform release 4.21.17",
                "product": {
                  "name": "Red Hat OpenShift Container Platform release 4.21.17",
                  "product_id": "T054688",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:container_platform_release_4.21.17"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Container Platform \u003c4.19.32",
                "product": {
                  "name": "Red Hat OpenShift Container Platform \u003c4.19.32",
                  "product_id": "T054748"
                }
              },
              {
                "category": "product_version",
                "name": "Container Platform 4.19.32",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.19.32",
                  "product_id": "T054748-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:container_platform__4.19.32"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Container Platform \u003c4.16.63",
                "product": {
                  "name": "Red Hat OpenShift Container Platform \u003c4.16.63",
                  "product_id": "T054875"
                }
              },
              {
                "category": "product_version",
                "name": "Container Platform 4.16.63",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.16.63",
                  "product_id": "T054875-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:container_platform__4.16.63"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Pipelines \u003c1.20.5",
                "product": {
                  "name": "Red Hat OpenShift Pipelines \u003c1.20.5",
                  "product_id": "T054877"
                }
              },
              {
                "category": "product_version",
                "name": "Pipelines 1.20.5",
                "product": {
                  "name": "Red Hat OpenShift Pipelines 1.20.5",
                  "product_id": "T054877-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:pipelines__1.20.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-29063",
      "product_status": {
        "known_affected": [
          "T053550",
          "67646",
          "T021415",
          "T053549",
          "T054748",
          "T054877",
          "T054403",
          "T054688",
          "T054875",
          "T048379"
        ]
      },
      "release_date": "2026-05-05T22:00:00.000+00:00",
      "title": "CVE-2026-29063"
    }
  ]
}

CVE-2026-29063 (GCVE-0-2026-29063)

Vulnerability from cvelistv5 – Published: 2026-03-06 18:25 – Updated: 2026-03-06 19:33

Title

Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Summary

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/immutable-js/immutable-js/secu…	x_refsource_CONFIRM
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC
https://github.com/immutable-js/immutable-js/rele…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
immutable-js	immutable-js	Affected: < 3.8.3 Affected: < 4.3.7 Affected: < 5.1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T19:32:37.694711Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T19:33:31.642Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "immutable-js",
          "vendor": "immutable-js",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.8.3"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.7"
            },
            {
              "status": "affected",
              "version": "\u003c 5.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T18:25:22.438Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
        },
        {
          "name": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
        }
      ],
      "source": {
        "advisory": "GHSA-wf6x-7x77-mvgw",
        "discovery": "UNKNOWN"
      },
      "title": "Immutable.js: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in immutable"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29063",
    "datePublished": "2026-03-06T18:25:22.438Z",
    "dateReserved": "2026-03-03T20:51:43.481Z",
    "dateUpdated": "2026-03-06T19:33:31.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1367

CVE-2026-29063 (GCVE-0-2026-29063)

Tags

Sightings

Nomenclature