Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-11022 (GCVE-0-2020-11022)
Vulnerability from cvelistv5 – Published: 2020-04-29 00:00 – Updated: 2026-04-13 13:53
VLAI
EPSS
Title
jQuery has a potential XSS vulnerability
Summary
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Severity
6.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
47 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4693",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4693"
},
{
"name": "FEDORA-2020-11be4b36d4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/"
},
{
"name": "FEDORA-2020-36d2db5f51",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jquery.com/upgrade-guide/3.5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200511-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.drupal.org/sa-core-2020-002"
},
{
"name": "openSUSE-SU-2020:1060",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
},
{
"name": "GLSA-202007-03",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-03"
},
{
"name": "openSUSE-SU-2020:1106",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
},
{
"name": "[airflow-commits] 20200820 [GitHub] [airflow] breser opened a new issue #10429: jquery dependency needs to be updated to 3.5.0 or newer",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "FEDORA-2020-fbb94073a1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/"
},
{
"name": "FEDORA-2020-0b32a59b54",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/"
},
{
"name": "FEDORA-2020-fe94df8c34",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:1888",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
},
{
"name": "[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2020-11"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2020-10"
},
{
"name": "[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
},
{
"name": "[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-02"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jQuery",
"vendor": "jquery",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:53:08.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2"
},
{
"name": "https://github.com/maximebf/php-debugbar/issues/447",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/maximebf/php-debugbar/issues/447"
},
{
"name": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77"
},
{
"name": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
},
{
"name": "https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
},
{
"name": "https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html"
},
{
"name": "https://security.gentoo.org/glsa/202007-03",
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202007-03"
},
{
"name": "https://www.debian.org/security/2020/dsa-4693",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2020/dsa-4693"
},
{
"name": "https://www.drupal.org/sa-core-2020-002",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.drupal.org/sa-core-2020-002"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.tenable.com/security/tns-2020-10",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/tns-2020-10"
},
{
"name": "https://www.tenable.com/security/tns-2020-11",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/tns-2020-11"
},
{
"name": "https://www.tenable.com/security/tns-2021-02",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/tns-2021-02"
},
{
"name": "https://www.tenable.com/security/tns-2021-10",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"name": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
},
{
"name": "https://github.com/jquery/jquery/releases/tag/3.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jquery/jquery/releases/tag/3.5.0"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml"
},
{
"name": "https://jquery.com/upgrade-guide/3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://jquery.com/upgrade-guide/3.5"
},
{
"name": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B"
},
{
"name": "http://security.netapp.com/advisory/ntap-20200511-0006",
"tags": [
"x_refsource_MISC"
],
"url": "http://security.netapp.com/advisory/ntap-20200511-0006"
}
],
"source": {
"advisory": "GHSA-gxr4-xjj5-5px2",
"discovery": "UNKNOWN"
},
"title": "jQuery has a potential XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11022",
"datePublished": "2020-04-29T00:00:00.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2026-04-13T13:53:08.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-11022",
"date": "2026-05-29",
"epss": "0.02456",
"percentile": "0.85469"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-11022\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-29T22:15:11.903\",\"lastModified\":\"2026-04-13T15:16:29.173\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.\"},{\"lang\":\"es\",\"value\":\"En las versiones de jQuery mayores o iguales a 1.2 y anteriores a la versi\u00f3n 3.5.0, se puede ejecutar HTML desde fuentes no seguras, incluso despu\u00e9s de desinfectarlo, a uno de los m\u00e9todos de manipulaci\u00f3n DOM de jQuery (es decir .html (), .append () y otros). c\u00f3digo no seguro Este problema est\u00e1 corregido en jQuery 3.5.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2\",\"versionEndExcluding\":\"3.5.0\",\"matchCriteriaId\":\"B5CFA4CA-5296-4B78-8D65-34FC63A09DEF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.70\",\"matchCriteriaId\":\"70C672EE-2027-4A29-8C14-3450DEF1462A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.7.0\",\"versionEndExcluding\":\"8.7.14\",\"matchCriteriaId\":\"BBFE42E2-6583-4EBE-B320-B8CF9CA0C3BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.8.0\",\"versionEndExcluding\":\"8.8.6\",\"matchCriteriaId\":\"7BA49DB0-ECC3-4155-B76C-0CA292600DE6\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A079FD6E-3BB0-4997-9A8E-6F8FEC89887A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A125E817-F974-4509-872C-B71933F42AD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBE7BF09-B89C-4590-821E-6C0587E096B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7231D2D-4092-44F3-B60A-D7C9ED78AFDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"18127694-109C-4E7E-AE79-0BA351849291\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.1.2\",\"matchCriteriaId\":\"D0DBC938-A782-433F-8BF1-CA250C332AA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B796AC70-A220-48D8-B8CD-97CF57227962\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"790A89FD-6B86-49AE-9B4F-AE7262915E13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E39D442D-1997-49AF-8B02-5640BE2A26CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\\\\::*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"FAFED7F5-03FA-43B5-AD13-1130F0324448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndIncluding\":\"16.4.0\",\"matchCriteriaId\":\"1A0E3537-CB5A-40BF-B42C-CED9211B8892\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"062E4E7C-55BB-46F3-8B61-5A663B565891\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"726DB59B-00C7-444E-83F7-CB31032482AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B095CC03-7077-4A58-AB25-CC5380CDCE5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7015A8CB-8FA6-423E-8307-BD903244F517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6.0.0\",\"versionEndIncluding\":\"8.1.0.0.0\",\"matchCriteriaId\":\"F2BB6A71-6AF6-4C0B-9304-4111E32108D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"AD080793-FC45-4260-8E45-40E228F432FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2ACA29E6-F393-46E5-B2B3-9158077819A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCD1EC13-CC2F-4668-90D2-D8609066F2DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D614F76-0AA1-4EA8-A24A-38EFC90EF5DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"39B8DFFF-B037-4F29-8C8E-F4BBC3435199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D0D0EAC-300D-44B1-AD4A-93A368D5DBA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"C5E0646D-4866-41FB-AE2E-5307B6F4004A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A566893-8DCF-49E4-93D0-0ACCEFD70D3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"B37FC113-4F40-4D29-8712-7AD250373008\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00E5D719-249D-48B8-BAFC-1E14D250B3F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"712577A9-04D6-4579-A82B-72200E467399\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.9\",\"matchCriteriaId\":\"672949B4-1989-4AA7-806F-EEC07D07F317\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"987A0C35-4C7F-4FFB-B47B-37B69A32F879\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3B6BE3-4C5A-402F-832C-86A0A6234C25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9476D1DA-C8A8-40A0-94DD-9B46C05FD461\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34070F24-2E53-43EC-9117-E1434B2C4C2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9B2C2F6-235F-4E78-A299-18C041C05C9A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F727AAC6-6D9F-4B28-B07C-6A93916C43A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"6662C783-5B5C-4559-89F5-1A681AA46A3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51C17460-D326-4525-A7D1-0AED53E75E18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37C8EE84-A840-4132-B331-C7D450B1FBBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D8436A2-9CA3-4C91-B632-9B03368ABC1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A00142E6-EEB3-44BD-AB0D-0E5C5640557F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6149C89E-0111-4CF9-90CA-0662D2F75E04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CDDF6CA-6441-4606-9D2F-22A67BA46978\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FA0B592-A216-4320-A4FE-ABCA6B3E7D7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEA4D6CF-D54A-40DF-9B70-E13392D0BE19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"2A333755-4B6E-4A0F-AC48-4CEA70CD5801\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"397B1A24-7C95-4A73-8363-4529A7F6CFCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF6D5112-4055-4F89-A5B3-0DCB109481B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D262848E-AA24-4057-A747-6221BA22ADF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A01F8ED-64DA-43BC-9C02-488010BCD0F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75638A6A-88B2-4BC7-84EA-1CF5FC30D555\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"501B9331-6BB7-44BF-A664-180CAFABF88C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2A3AE3C-8E24-4FB6-9954-9B50CBD59B21\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8E565DA-91BE-44FC-A28F-579BE8D2281A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"AED72F90-3B68-45AC-865C-110F7FD30D37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.9\",\"matchCriteriaId\":\"4F909C61-1A74-402C-B74F-BAF7297875B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26A1F27B-C3AC-4D13-B9B2-2D6CF65D07BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B95E8056-51D8-4390-ADE3-661B7AE1D7CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"609D6EDF-D4D0-4370-9B8B-CA39D41946C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9059A907-508B-4844-8D7B-0FA68C0DF6A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AC63D10-2326-4542-B345-31D45B9A7408\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.1.0\",\"versionEndIncluding\":\"19.1.2\",\"matchCriteriaId\":\"7BFD7783-BE15-421C-A550-7FE15AB53ABF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F7BF047-03C5-4A60-B718-E222B16DBF41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3A73D81-3E1A-42E6-AB96-835CDD5905F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66136D6D-FC52-40DB-B7B6-BA8B7758CE16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06514F46-544B-4404-B45C-C9584EBC3131\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3BD4BF9A-BF38-460D-974D-5B3255AAF946\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"B7DB4831-F874-4D9D-AB58-BE4A554891EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0.0\",\"versionEndIncluding\":\"5.6.0.0\",\"matchCriteriaId\":\"B47C73D0-BE89-4D87-8765-12C507F13AFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B8AA91A-1880-43CD-938D-48EF58ACF2CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7506589-9B3B-49BA-B826-774BFDCC45B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"335AB6A7-3B1F-4FA8-AF08-7D64C16C4B04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0A735B4-4F3C-416B-8C08-9CB21BAD2889\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E1E416B-920B-49A0-9523-382898C2979D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndIncluding\":\"12.2.20\",\"matchCriteriaId\":\"15512D27-7BEB-4DDD-9A1B-447FC7156E3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DB5E2C7-9C68-4D3B-95AD-9CBF65DE1E94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndIncluding\":\"12.2.20\",\"matchCriteriaId\":\"90F0B2AB-453C-4585-8753-74D17BD20C79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31C7EEA3-AA72-48DA-A112-2923DBB37773\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0735989-13BD-40B3-B954-AC0529C5B53D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EFAEA84-E376-40A2-8C9F-3E0676FEC527\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"959316A8-C3AF-4126-A242-3835ED0AD1E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDB925C6-2CBC-4D88-B9EA-F246F4F7A206\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98B9198C-11DF-4E80-ACFC-DC719CED8C7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6953CFDB-33C0-4B8E-BBBD-E460A17E8ED3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B40B13B7-68B3-4510-968C-6A730EB46462\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C93CC705-1F8C-4870-99E6-14BF264C3811\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F14A818F-AA16-4438-A3E4-E64C9287AC66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BCDC24-4A21-473C-8733-0D9CFB38A752\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD1FCB0D-3E19-4461-9330-4D7F02972A35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1BE6C1F-2565-4E97-92AA-16563E5660A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0\",\"versionEndIncluding\":\"3.1.3\",\"matchCriteriaId\":\"B9273745-6408-4CD3-94E8-9385D4F5FE69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F4754FB-E3EB-454A-AB1A-AE3835C5350C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDFB1169-41A0-4A86-8E4F-FDA9730B1E94\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6770B6C3-732E-4E22-BF1C-2D2FD610061C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F9C8C20-42EB-4AB5-BD97-212DEB070C43\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FFF7106-ED78-49BA-9EC5-B889E3685D53\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E63D8B0F-006E-4801-BF9D-1C001BBFB4F9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56409CEC-5A1E-4450-AA42-641E459CC2AF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B06F4839-D16A-4A61-9BB5-55B13F41E47F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"108A2215-50FB-4074-94CF-C130FA14566D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32F0B6C0-F930-480D-962B-3F4EFDCC13C7\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"803BC414-B250-4E3A-A478-A3881340D6B8\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FEB3337-BFDE-462A-908B-176F92053CEC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"736AEAE9-782B-4F71-9893-DED53367E102\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0B4AD8A-F172-4558-AEC6-FF424BA2D912\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8497A4C9-8474-4A62-8331-3FE862ED4098\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDDF61B7-EC5C-467C-B710-B89F502CD04F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.0.9\",\"matchCriteriaId\":\"4ACF85D6-6B45-43DA-9C01-F0208186F014\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA6F2E4C-C935-40CF-972E-8C3D8A912134\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.1\",\"versionEndIncluding\":\"20.1\",\"matchCriteriaId\":\"59830587-A6B0-4642-B566-6FD8792F7716\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B796AC70-A220-48D8-B8CD-97CF57227962\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"790A89FD-6B86-49AE-9B4F-AE7262915E13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E39D442D-1997-49AF-8B02-5640BE2A26CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\\\\::*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"FAFED7F5-03FA-43B5-AD13-1130F0324448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"726DB59B-00C7-444E-83F7-CB31032482AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B095CC03-7077-4A58-AB25-CC5380CDCE5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7015A8CB-8FA6-423E-8307-BD903244F517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"021014B2-DC51-481C-BCFE-5857EFBDEDDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"AD080793-FC45-4260-8E45-40E228F432FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2ACA29E6-F393-46E5-B2B3-9158077819A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCD1EC13-CC2F-4668-90D2-D8609066F2DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D614F76-0AA1-4EA8-A24A-38EFC90EF5DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"39B8DFFF-B037-4F29-8C8E-F4BBC3435199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D0D0EAC-300D-44B1-AD4A-93A368D5DBA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"C5E0646D-4866-41FB-AE2E-5307B6F4004A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A566893-8DCF-49E4-93D0-0ACCEFD70D3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"B37FC113-4F40-4D29-8712-7AD250373008\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00E5D719-249D-48B8-BAFC-1E14D250B3F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"712577A9-04D6-4579-A82B-72200E467399\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.9\",\"matchCriteriaId\":\"672949B4-1989-4AA7-806F-EEC07D07F317\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"987A0C35-4C7F-4FFB-B47B-37B69A32F879\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3B6BE3-4C5A-402F-832C-86A0A6234C25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9476D1DA-C8A8-40A0-94DD-9B46C05FD461\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34070F24-2E53-43EC-9117-E1434B2C4C2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9B2C2F6-235F-4E78-A299-18C041C05C9A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F727AAC6-6D9F-4B28-B07C-6A93916C43A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"6662C783-5B5C-4559-89F5-1A681AA46A3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51C17460-D326-4525-A7D1-0AED53E75E18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"37C8EE84-A840-4132-B331-C7D450B1FBBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D8436A2-9CA3-4C91-B632-9B03368ABC1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A00142E6-EEB3-44BD-AB0D-0E5C5640557F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6149C89E-0111-4CF9-90CA-0662D2F75E04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CDDF6CA-6441-4606-9D2F-22A67BA46978\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FA0B592-A216-4320-A4FE-ABCA6B3E7D7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEA4D6CF-D54A-40DF-9B70-E13392D0BE19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.8\",\"matchCriteriaId\":\"2A333755-4B6E-4A0F-AC48-4CEA70CD5801\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"397B1A24-7C95-4A73-8363-4529A7F6CFCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF6D5112-4055-4F89-A5B3-0DCB109481B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D262848E-AA24-4057-A747-6221BA22ADF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A01F8ED-64DA-43BC-9C02-488010BCD0F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75638A6A-88B2-4BC7-84EA-1CF5FC30D555\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"501B9331-6BB7-44BF-A664-180CAFABF88C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2A3AE3C-8E24-4FB6-9954-9B50CBD59B21\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8E565DA-91BE-44FC-A28F-579BE8D2281A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.1.0\",\"matchCriteriaId\":\"AED72F90-3B68-45AC-865C-110F7FD30D37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.6\",\"versionEndIncluding\":\"8.0.9\",\"matchCriteriaId\":\"4F909C61-1A74-402C-B74F-BAF7297875B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26A1F27B-C3AC-4D13-B9B2-2D6CF65D07BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B95E8056-51D8-4390-ADE3-661B7AE1D7CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"609D6EDF-D4D0-4370-9B8B-CA39D41946C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9059A907-508B-4844-8D7B-0FA68C0DF6A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AC63D10-2326-4542-B345-31D45B9A7408\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F7BF047-03C5-4A60-B718-E222B16DBF41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3A73D81-3E1A-42E6-AB96-835CDD5905F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_simphony:19.1.0-19.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"351F9DE9-2FCE-4BCA-A098-CDFB07E6E4B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66136D6D-FC52-40DB-B7B6-BA8B7758CE16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06514F46-544B-4404-B45C-C9584EBC3131\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3BD4BF9A-BF38-460D-974D-5B3255AAF946\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_data_foundation:8.0.6-8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D10745C6-2751-4FD0-BDFA-84C7AB8066BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0.0\",\"versionEndIncluding\":\"5.6.0.0\",\"matchCriteriaId\":\"B47C73D0-BE89-4D87-8765-12C507F13AFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B8AA91A-1880-43CD-938D-48EF58ACF2CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7506589-9B3B-49BA-B826-774BFDCC45B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"335AB6A7-3B1F-4FA8-AF08-7D64C16C4B04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0A735B4-4F3C-416B-8C08-9CB21BAD2889\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E1E416B-920B-49A0-9523-382898C2979D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndIncluding\":\"12.2.20\",\"matchCriteriaId\":\"15512D27-7BEB-4DDD-9A1B-447FC7156E3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DB5E2C7-9C68-4D3B-95AD-9CBF65DE1E94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndIncluding\":\"12.2.20\",\"matchCriteriaId\":\"90F0B2AB-453C-4585-8753-74D17BD20C79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31C7EEA3-AA72-48DA-A112-2923DBB37773\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0735989-13BD-40B3-B954-AC0529C5B53D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EFAEA84-E376-40A2-8C9F-3E0676FEC527\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"959316A8-C3AF-4126-A242-3835ED0AD1E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDB925C6-2CBC-4D88-B9EA-F246F4F7A206\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98B9198C-11DF-4E80-ACFC-DC719CED8C7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B40B13B7-68B3-4510-968C-6A730EB46462\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C93CC705-1F8C-4870-99E6-14BF264C3811\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F14A818F-AA16-4438-A3E4-E64C9287AC66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BCDC24-4A21-473C-8733-0D9CFB38A752\"}]}]}],\"references\":[{\"url\":\"http://security.netapp.com/advisory/ntap-20200511-0006\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/jquery/jquery/releases/tag/3.5.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/maximebf/php-debugbar/issues/447\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://jquery.com/upgrade-guide/3.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202007-03\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4693\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.drupal.org/sa-core-2020-002\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2021.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2020-10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2020-11\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2021-02\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2021-10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://jquery.com/upgrade-guide/3.5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133%40%3Ccommits.airflow.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202007-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200511-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4693\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.drupal.org/sa-core-2020-002\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2020-10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2020-11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2021-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/tns-2021-10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
ICSA-25-182-07
Vulnerability from csaf_cisa - Published: 2025-06-24 12:30 - Updated: 2025-06-24 12:30Summary
Hitachi Energy MSM
Severity
Medium
Notes
Summary: Hitachi Energy is aware of the vulnerability CVE-2020-11022 that affects MSM versions as listed below. If an attacker successfully exploits this vulnerability, it could impact the confidentiality, integrity or availability of MSM. Please consult the Recommended Immediate Actions Section for mitigation actions.
Notice: The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warran-ties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software de-scribed in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
General Mitigation: MSM is not intrinsically designed and intended to be directly connected to the internet. Please disconnect the device from any internet facing network, if any installation has performed the same. Suggest adopting user access management and any state-of-the-art antivirus protection engines equipped with the latest signature rules on the computers that have installed and operating the MSM Client application. As an example, please use the Operating System (OS) inbuilt user access management functionality, if supported, to limit the probabil-ity of unauthorized access followed by rogue commands via MSM Client application.
Also, recommend following the hardening guidelines published by “The Center for Internet Security (CIS)” https://www.cisecurity.org/about-us/ to protect the host Operating System of computers that connects with MSM. This measure would then prevent the lateral movement of the attack vector into MSM via these connected de-vices. Some examples for Windows based computers are listed below.
1) CIS Microsoft Windows Desktop Benchmarks (cisecurity.org)
2) CIS Microsoft Windows Server Benchmarks (cisecurity.org)
Additional general mitigation factors are suggested below.
Recommended security practices and firewall configurations can help protect a network from attacks that originate from outside the network. Such practices include those systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Monitoring systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected. Please also follow the cybersecurity deployment recommendations as document inside section 3.9 of 2GHV045871_2018-P-en-Modular Switchgear Monitoring (MSM) - C.
Support: For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer: This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000219 from a direct conversion of their vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.
Critical infrastructure sectors: Energy
Countries/areas deployed: Worldwide
Company headquarters location: Switzerland
Recommended Practices: CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
6.1 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Hitachi Energy MSM 2.2.9
Hitachi Energy / MSM
|
<=2.2.9 |
Mitigation
|
References
10 references
Acknowledgments
Hitachi Energy PSIRT
{
"document": {
"acknowledgments": [
{
"organization": "Hitachi Energy PSIRT",
"summary": "reporting this vulnerability to CISA."
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/specification-document",
"text": "MEDIUM"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Hitachi Energy is aware of the vulnerability CVE-2020-11022 that affects MSM versions as listed below. If an attacker successfully exploits this vulnerability, it could impact the confidentiality, integrity or availability of MSM. Please consult the Recommended Immediate Actions Section for mitigation actions.",
"title": "Summary"
},
{
"category": "legal_disclaimer",
"text": "The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warran-ties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software de-scribed in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.",
"title": "Notice"
},
{
"category": "general",
"text": "MSM is not intrinsically designed and intended to be directly connected to the internet. Please disconnect the device from any internet facing network, if any installation has performed the same. Suggest adopting user access management and any state-of-the-art antivirus protection engines equipped with the latest signature rules on the computers that have installed and operating the MSM Client application. As an example, please use the Operating System (OS) inbuilt user access management functionality, if supported, to limit the probabil-ity of unauthorized access followed by rogue commands via MSM Client application.\nAlso, recommend following the hardening guidelines published by \u201cThe Center for Internet Security (CIS)\u201d https://www.cisecurity.org/about-us/ to protect the host Operating System of computers that connects with MSM. This measure would then prevent the lateral movement of the attack vector into MSM via these connected de-vices. Some examples for Windows based computers are listed below.\n1)\tCIS Microsoft Windows Desktop Benchmarks (cisecurity.org) \n2)\tCIS Microsoft Windows Server Benchmarks (cisecurity.org)\nAdditional general mitigation factors are suggested below.\nRecommended security practices and firewall configurations can help protect a network from attacks that originate from outside the network. Such practices include those systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Monitoring systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected. Please also follow the cybersecurity deployment recommendations as document inside section 3.9 of 2GHV045871_2018-P-en-Modular Switchgear Monitoring (MSM) - C.",
"title": "General Mitigation"
},
{
"category": "other",
"text": "For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.",
"title": "Support"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000219 from a direct conversion of their vendor\u0027s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA\u0027s website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Switzerland",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-25-182-07 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-182-07.json"
},
{
"summary": "Cybersecurity Advisory",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000219\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-25-182-07 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-07"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Hitachi Energy MSM",
"tracking": {
"current_release_date": "2025-06-24T12:30:00.000000Z",
"generator": {
"date": "2025-07-01T18:36:31.613056Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-25-182-07",
"initial_release_date": "2025-06-24T12:30:00.000000Z",
"revision_history": [
{
"date": "2025-06-24T12:30:00.000000Z",
"number": "1",
"summary": "initial version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.2.9",
"product": {
"name": "Hitachi Energy MSM 2.2.9",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_family",
"name": "MSM"
}
],
"category": "vendor",
"name": "Hitachi Energy"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "description",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.",
"title": "CVE description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Apply General Mitigation Factors/Workarounds",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
OPENSUSE-SU-2020:1060-1
Vulnerability from csaf_opensuse - Published: 2020-07-25 18:21 - Updated: 2020-07-25 18:21Summary
Security update for cacti, cacti-spine
Severity
Moderate
Notes
Title of the patch: Security update for cacti, cacti-spine
Description of the patch: This update for cacti, cacti-spine fixes the following issues:
- cacti 1.2.13:
* Query XSS vulnerabilities require vendor package update
(CVE-2020-11022 / CVE-2020-11023)
* Lack of escaping on some pages can lead to XSS exposure
* Update PHPMailer to 6.1.6 (CVE-2020-13625)
* SQL Injection vulnerability due to input validation failure when
editing colors (CVE-2020-14295, boo#1173090)
* Lack of escaping on template import can lead to XSS exposure
- switch from cron to systemd timers (boo#1115436):
+ cacti-cron.timer
+ cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0
(boo#1154087): handle directory permissions in file section instead
of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and
explicitely disable directory permissions per default
(only allow a limited, well-known set of directories)
Patchnames: openSUSE-2020-1060
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.2 (High)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cacti, cacti-spine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cacti, cacti-spine fixes the following issues:\n\n- cacti 1.2.13:\n\n * Query XSS vulnerabilities require vendor package update\n (CVE-2020-11022 / CVE-2020-11023)\n * Lack of escaping on some pages can lead to XSS exposure\n * Update PHPMailer to 6.1.6 (CVE-2020-13625)\n * SQL Injection vulnerability due to input validation failure when\n editing colors (CVE-2020-14295, boo#1173090)\n * Lack of escaping on template import can lead to XSS exposure\n\n- switch from cron to systemd timers (boo#1115436):\n + cacti-cron.timer\n + cacti-cron.service\n- avoid potential root escalation on systems with fs.protected_hardlinks=0\n (boo#1154087): handle directory permissions in file section instead\n of using chown during post installation\n- rewrote apache configuration to get rid of .htaccess files and \n explicitely disable directory permissions per default \n (only allow a limited, well-known set of directories)\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1060",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1060-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1060-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VVPI65AW45TXMRAYCWJ6YJT3LF4GIMWL/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1060-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VVPI65AW45TXMRAYCWJ6YJT3LF4GIMWL/"
},
{
"category": "self",
"summary": "SUSE Bug 1115436",
"url": "https://bugzilla.suse.com/1115436"
},
{
"category": "self",
"summary": "SUSE Bug 1154087",
"url": "https://bugzilla.suse.com/1154087"
},
{
"category": "self",
"summary": "SUSE Bug 1173090",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11023 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11023/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-13625 page",
"url": "https://www.suse.com/security/cve/CVE-2020-13625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14295 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14295/"
}
],
"title": "Security update for cacti, cacti-spine",
"tracking": {
"current_release_date": "2020-07-25T18:21:21Z",
"generator": {
"date": "2020-07-25T18:21:21Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1060-1",
"initial_release_date": "2020-07-25T18:21:21Z",
"revision_history": [
{
"date": "2020-07-25T18:21:21Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-8.1.aarch64",
"product": {
"name": "cacti-spine-1.2.13-8.1.aarch64",
"product_id": "cacti-spine-1.2.13-8.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.13-11.1.noarch",
"product": {
"name": "cacti-1.2.13-11.1.noarch",
"product_id": "cacti-1.2.13-11.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-8.1.ppc64le",
"product": {
"name": "cacti-spine-1.2.13-8.1.ppc64le",
"product_id": "cacti-spine-1.2.13-8.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-8.1.s390x",
"product": {
"name": "cacti-spine-1.2.13-8.1.s390x",
"product_id": "cacti-spine-1.2.13-8.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-8.1.x86_64",
"product": {
"name": "cacti-spine-1.2.13-8.1.x86_64",
"product_id": "cacti-spine-1.2.13-8.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.13-11.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-1.2.13-11.1.noarch"
},
"product_reference": "cacti-1.2.13-11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.aarch64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64"
},
"product_reference": "cacti-spine-1.2.13-8.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.ppc64le as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.13-8.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.s390x as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x"
},
"product_reference": "cacti-spine-1.2.13-8.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.x86_64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64"
},
"product_reference": "cacti-spine-1.2.13-8.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.13-11.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch"
},
"product_reference": "cacti-1.2.13-11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.aarch64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64"
},
"product_reference": "cacti-spine-1.2.13-8.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.ppc64le as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.13-8.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.s390x as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x"
},
"product_reference": "cacti-spine-1.2.13-8.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64"
},
"product_reference": "cacti-spine-1.2.13-8.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.13-11.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch"
},
"product_reference": "cacti-1.2.13-11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.aarch64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64"
},
"product_reference": "cacti-spine-1.2.13-8.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.ppc64le as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.13-8.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.s390x as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x"
},
"product_reference": "cacti-spine-1.2.13-8.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-8.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
},
"product_reference": "cacti-spine-1.2.13-8.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-25T18:21:21Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
},
{
"cve": "CVE-2020-11023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11023"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11023",
"url": "https://www.suse.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190660 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1190660"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-25T18:21:21Z",
"details": "moderate"
}
],
"title": "CVE-2020-11023"
},
{
"cve": "CVE-2020-13625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-13625"
}
],
"notes": [
{
"category": "general",
"text": "PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-13625",
"url": "https://www.suse.com/security/cve/CVE-2020-13625"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-13625",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-25T18:21:21Z",
"details": "important"
}
],
"title": "CVE-2020-13625"
},
{
"cve": "CVE-2020-14295",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14295"
}
],
"notes": [
{
"category": "general",
"text": "A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14295",
"url": "https://www.suse.com/security/cve/CVE-2020-14295"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-14295",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:cacti-1.2.13-11.1.noarch",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.aarch64",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.ppc64le",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.s390x",
"SUSE Package Hub 12:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.1:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.1:cacti-spine-1.2.13-8.1.x86_64",
"openSUSE Leap 15.2:cacti-1.2.13-11.1.noarch",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.aarch64",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.ppc64le",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.s390x",
"openSUSE Leap 15.2:cacti-spine-1.2.13-8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-25T18:21:21Z",
"details": "important"
}
],
"title": "CVE-2020-14295"
}
]
}
OPENSUSE-SU-2020:1106-1
Vulnerability from csaf_opensuse - Published: 2020-07-27 21:28 - Updated: 2020-07-27 21:28Summary
Security update for cacti, cacti-spine
Severity
Moderate
Notes
Title of the patch: Security update for cacti, cacti-spine
Description of the patch: This update for cacti, cacti-spine fixes the following issues:
- cacti 1.2.13:
* Query XSS vulnerabilities require vendor package update
(CVE-2020-11022 / CVE-2020-11023)
* Lack of escaping on some pages can lead to XSS exposure
* Update PHPMailer to 6.1.6 (CVE-2020-13625)
* SQL Injection vulnerability due to input validation failure when
editing colors (CVE-2020-14295, boo#1173090)
* Lack of escaping on template import can lead to XSS exposure
- switch from cron to systemd timers (boo#1115436):
+ cacti-cron.timer
+ cacti-cron.service
- avoid potential root escalation on systems with fs.protected_hardlinks=0
(boo#1154087): handle directory permissions in file section instead
of using chown during post installation
- rewrote apache configuration to get rid of .htaccess files and
explicitely disable directory permissions per default
(only allow a limited, well-known set of directories)
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patchnames: openSUSE-2020-1106
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.2 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cacti, cacti-spine",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cacti, cacti-spine fixes the following issues:\n\n- cacti 1.2.13:\n\n * Query XSS vulnerabilities require vendor package update\n (CVE-2020-11022 / CVE-2020-11023)\n * Lack of escaping on some pages can lead to XSS exposure\n * Update PHPMailer to 6.1.6 (CVE-2020-13625)\n * SQL Injection vulnerability due to input validation failure when\n editing colors (CVE-2020-14295, boo#1173090)\n * Lack of escaping on template import can lead to XSS exposure\n\n- switch from cron to systemd timers (boo#1115436):\n + cacti-cron.timer\n + cacti-cron.service\n- avoid potential root escalation on systems with fs.protected_hardlinks=0\n (boo#1154087): handle directory permissions in file section instead\n of using chown during post installation\n- rewrote apache configuration to get rid of .htaccess files and \n explicitely disable directory permissions per default \n (only allow a limited, well-known set of directories)\n\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1106",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1106-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1106-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1106-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4IXKYESUUIOBHBKL32YKWOWHSJKS7RN3/"
},
{
"category": "self",
"summary": "SUSE Bug 1115436",
"url": "https://bugzilla.suse.com/1115436"
},
{
"category": "self",
"summary": "SUSE Bug 1154087",
"url": "https://bugzilla.suse.com/1154087"
},
{
"category": "self",
"summary": "SUSE Bug 1173090",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11023 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11023/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-13625 page",
"url": "https://www.suse.com/security/cve/CVE-2020-13625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14295 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14295/"
}
],
"title": "Security update for cacti, cacti-spine",
"tracking": {
"current_release_date": "2020-07-27T21:28:47Z",
"generator": {
"date": "2020-07-27T21:28:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1106-1",
"initial_release_date": "2020-07-27T21:28:47Z",
"revision_history": [
{
"date": "2020-07-27T21:28:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"product": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"product_id": "cacti-spine-1.2.13-bp151.4.12.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.13-bp151.4.12.1.noarch",
"product": {
"name": "cacti-1.2.13-bp151.4.12.1.noarch",
"product_id": "cacti-1.2.13-bp151.4.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"product": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"product_id": "cacti-spine-1.2.13-bp151.4.12.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-bp151.4.12.1.s390x",
"product": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.s390x",
"product_id": "cacti-spine-1.2.13-bp151.4.12.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-spine-1.2.13-bp151.4.12.1.x86_64",
"product": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.x86_64",
"product_id": "cacti-spine-1.2.13-bp151.4.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.13-bp151.4.12.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch"
},
"product_reference": "cacti-1.2.13-bp151.4.12.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.aarch64 as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64"
},
"product_reference": "cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.ppc64le as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le"
},
"product_reference": "cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.s390x as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x"
},
"product_reference": "cacti-spine-1.2.13-bp151.4.12.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-spine-1.2.13-bp151.4.12.1.x86_64 as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
},
"product_reference": "cacti-spine-1.2.13-bp151.4.12.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-27T21:28:47Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
},
{
"cve": "CVE-2020-11023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11023"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11023",
"url": "https://www.suse.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190660 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1190660"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-27T21:28:47Z",
"details": "moderate"
}
],
"title": "CVE-2020-11023"
},
{
"cve": "CVE-2020-13625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-13625"
}
],
"notes": [
{
"category": "general",
"text": "PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-13625",
"url": "https://www.suse.com/security/cve/CVE-2020-13625"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-13625",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-27T21:28:47Z",
"details": "important"
}
],
"title": "CVE-2020-13625"
},
{
"cve": "CVE-2020-14295",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14295"
}
],
"notes": [
{
"category": "general",
"text": "A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14295",
"url": "https://www.suse.com/security/cve/CVE-2020-14295"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-14295",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:cacti-1.2.13-bp151.4.12.1.noarch",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.aarch64",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.ppc64le",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.s390x",
"SUSE Package Hub 15 SP1:cacti-spine-1.2.13-bp151.4.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-07-27T21:28:47Z",
"details": "important"
}
],
"title": "CVE-2020-14295"
}
]
}
OPENSUSE-SU-2020:1888-1
Vulnerability from csaf_opensuse - Published: 2020-11-09 19:24 - Updated: 2020-11-09 19:24Summary
Security update for otrs
Severity
Moderate
Notes
Title of the patch: Security update for otrs
Description of the patch: This update for otrs fixes the following issues:
- otrs was updated to 6.0.30 (OSA-2020-14 boo#1178434)
- CVE-2020-11022, CVE-2020-11023: Vulnerability in third-party library - jquery
OTRS uses jquery version 3.4.1, which is vulnerable to cross-site scripting
(XSS).
Patchnames: openSUSE-2020-1888
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for otrs",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for otrs fixes the following issues:\n\n- otrs was updated to 6.0.30 (OSA-2020-14 boo#1178434)\n - CVE-2020-11022, CVE-2020-11023: Vulnerability in third-party library - jquery\n OTRS uses jquery version 3.4.1, which is vulnerable to cross-site scripting \n (XSS).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1888",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1888-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1888-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q4QSMZXUNVYKSR2VDCHWASQTIS4WW2JC/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1888-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q4QSMZXUNVYKSR2VDCHWASQTIS4WW2JC/"
},
{
"category": "self",
"summary": "SUSE Bug 1178434",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11023 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11023/"
}
],
"title": "Security update for otrs",
"tracking": {
"current_release_date": "2020-11-09T19:24:17Z",
"generator": {
"date": "2020-11-09T19:24:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1888-1",
"initial_release_date": "2020-11-09T19:24:17Z",
"revision_history": [
{
"date": "2020-11-09T19:24:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "otrs-6.0.30-bp152.2.11.1.noarch",
"product": {
"name": "otrs-6.0.30-bp152.2.11.1.noarch",
"product_id": "otrs-6.0.30-bp152.2.11.1.noarch"
}
},
{
"category": "product_version",
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"product": {
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"product_id": "otrs-doc-6.0.30-bp152.2.11.1.noarch"
}
},
{
"category": "product_version",
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"product": {
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"product_id": "otrs-itsm-6.0.30-bp152.2.11.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-doc-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-doc-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "otrs-itsm-6.0.30-bp152.2.11.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
},
"product_reference": "otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-09T19:24:17Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
},
{
"cve": "CVE-2020-11023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11023"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11023",
"url": "https://www.suse.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190660 for CVE-2020-11023",
"url": "https://bugzilla.suse.com/1190660"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1.noarch",
"openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-09T19:24:17Z",
"details": "moderate"
}
],
"title": "CVE-2020-11023"
}
]
}
OPENSUSE-SU-2024:10670-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
cacti-1.2.18-1.2 on GA media
Severity
Moderate
Notes
Title of the patch: cacti-1.2.18-1.2 on GA media
Description of the patch: These are all security issues fixed in the cacti-1.2.18-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-10670
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.2 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
104 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cacti-1.2.18-1.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cacti-1.2.18-1.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10670",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10670-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2006-6799 page",
"url": "https://www.suse.com/security/cve/CVE-2006-6799/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2007-3112 page",
"url": "https://www.suse.com/security/cve/CVE-2007-3112/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2009-4112 page",
"url": "https://www.suse.com/security/cve/CVE-2009-4112/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-4000 page",
"url": "https://www.suse.com/security/cve/CVE-2014-4000/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-10970 page",
"url": "https://www.suse.com/security/cve/CVE-2017-10970/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-11163 page",
"url": "https://www.suse.com/security/cve/CVE-2017-11163/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-11691 page",
"url": "https://www.suse.com/security/cve/CVE-2017-11691/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12065 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12065/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12927 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12927/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12978 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12978/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-15194 page",
"url": "https://www.suse.com/security/cve/CVE-2017-15194/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-16641 page",
"url": "https://www.suse.com/security/cve/CVE-2017-16641/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-16660 page",
"url": "https://www.suse.com/security/cve/CVE-2017-16660/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-16661 page",
"url": "https://www.suse.com/security/cve/CVE-2017-16661/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-16785 page",
"url": "https://www.suse.com/security/cve/CVE-2017-16785/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20723 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20724 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20724/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20725 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-20726 page",
"url": "https://www.suse.com/security/cve/CVE-2018-20726/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16723 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17357 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17357/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-17358 page",
"url": "https://www.suse.com/security/cve/CVE-2019-17358/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-13625 page",
"url": "https://www.suse.com/security/cve/CVE-2020-13625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14295 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14295/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14424 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14424/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25706 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25706/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-35701 page",
"url": "https://www.suse.com/security/cve/CVE-2020-35701/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7106 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7106/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7237 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7237/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8813 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8813/"
}
],
"title": "cacti-1.2.18-1.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10670-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.18-1.2.aarch64",
"product": {
"name": "cacti-1.2.18-1.2.aarch64",
"product_id": "cacti-1.2.18-1.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.18-1.2.ppc64le",
"product": {
"name": "cacti-1.2.18-1.2.ppc64le",
"product_id": "cacti-1.2.18-1.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.18-1.2.s390x",
"product": {
"name": "cacti-1.2.18-1.2.s390x",
"product_id": "cacti-1.2.18-1.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cacti-1.2.18-1.2.x86_64",
"product": {
"name": "cacti-1.2.18-1.2.x86_64",
"product_id": "cacti-1.2.18-1.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.18-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64"
},
"product_reference": "cacti-1.2.18-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.18-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le"
},
"product_reference": "cacti-1.2.18-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.18-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x"
},
"product_reference": "cacti-1.2.18-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cacti-1.2.18-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
},
"product_reference": "cacti-1.2.18-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2006-6799",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2006-6799"
}
],
"notes": [
{
"category": "general",
"text": "SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2006-6799",
"url": "https://www.suse.com/security/cve/CVE-2006-6799"
},
{
"category": "external",
"summary": "SUSE Bug 231082 for CVE-2006-6799",
"url": "https://bugzilla.suse.com/231082"
},
{
"category": "external",
"summary": "SUSE Bug 236724 for CVE-2006-6799",
"url": "https://bugzilla.suse.com/236724"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2006-6799"
},
{
"cve": "CVE-2007-3112",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2007-3112"
}
],
"notes": [
{
"category": "general",
"text": "graph_image.php in Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_start or (2) graph_end parameter, different vectors than CVE-2007-3113.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2007-3112",
"url": "https://www.suse.com/security/cve/CVE-2007-3112"
},
{
"category": "external",
"summary": "SUSE Bug 326228 for CVE-2007-3112",
"url": "https://bugzilla.suse.com/326228"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2007-3112"
},
{
"cve": "CVE-2009-4112",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2009-4112"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the \"Data Input Method\" for the \"Linux - Get Memory Usage\" setting to contain arbitrary commands.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2009-4112",
"url": "https://www.suse.com/security/cve/CVE-2009-4112"
},
{
"category": "external",
"summary": "SUSE Bug 1122535 for CVE-2009-4112",
"url": "https://bugzilla.suse.com/1122535"
},
{
"category": "external",
"summary": "SUSE Bug 558664 for CVE-2009-4112",
"url": "https://bugzilla.suse.com/558664"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2009-4112"
},
{
"cve": "CVE-2014-4000",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-4000"
}
],
"notes": [
{
"category": "general",
"text": "Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-4000",
"url": "https://www.suse.com/security/cve/CVE-2014-4000"
},
{
"category": "external",
"summary": "SUSE Bug 1022564 for CVE-2014-4000",
"url": "https://bugzilla.suse.com/1022564"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2014-4000"
},
{
"cve": "CVE-2017-10970",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-10970"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-10970",
"url": "https://www.suse.com/security/cve/CVE-2017-10970"
},
{
"category": "external",
"summary": "SUSE Bug 1047512 for CVE-2017-10970",
"url": "https://bugzilla.suse.com/1047512"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2017-10970"
},
{
"cve": "CVE-2017-11163",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-11163"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-11163",
"url": "https://www.suse.com/security/cve/CVE-2017-11163"
},
{
"category": "external",
"summary": "SUSE Bug 1048102 for CVE-2017-11163",
"url": "https://bugzilla.suse.com/1048102"
},
{
"category": "external",
"summary": "SUSE Bug 1051633 for CVE-2017-11163",
"url": "https://bugzilla.suse.com/1051633"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-11163"
},
{
"cve": "CVE-2017-11691",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-11691"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-11691",
"url": "https://www.suse.com/security/cve/CVE-2017-11691"
},
{
"category": "external",
"summary": "SUSE Bug 1050950 for CVE-2017-11691",
"url": "https://bugzilla.suse.com/1050950"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-11691"
},
{
"cve": "CVE-2017-12065",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12065"
}
],
"notes": [
{
"category": "general",
"text": "spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12065",
"url": "https://www.suse.com/security/cve/CVE-2017-12065"
},
{
"category": "external",
"summary": "SUSE Bug 1051633 for CVE-2017-12065",
"url": "https://bugzilla.suse.com/1051633"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2017-12065"
},
{
"cve": "CVE-2017-12927",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12927"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12927",
"url": "https://www.suse.com/security/cve/CVE-2017-12927"
},
{
"category": "external",
"summary": "SUSE Bug 1054390 for CVE-2017-12927",
"url": "https://bugzilla.suse.com/1054390"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2017-12927"
},
{
"cve": "CVE-2017-12978",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12978"
}
],
"notes": [
{
"category": "general",
"text": "lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12978",
"url": "https://www.suse.com/security/cve/CVE-2017-12978"
},
{
"category": "external",
"summary": "SUSE Bug 1054742 for CVE-2017-12978",
"url": "https://bugzilla.suse.com/1054742"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-12978"
},
{
"cve": "CVE-2017-15194",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-15194"
}
],
"notes": [
{
"category": "general",
"text": "include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-15194",
"url": "https://www.suse.com/security/cve/CVE-2017-15194"
},
{
"category": "external",
"summary": "SUSE Bug 1062554 for CVE-2017-15194",
"url": "https://bugzilla.suse.com/1062554"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-15194"
},
{
"cve": "CVE-2017-16641",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-16641"
}
],
"notes": [
{
"category": "general",
"text": "lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-16641",
"url": "https://www.suse.com/security/cve/CVE-2017-16641"
},
{
"category": "external",
"summary": "SUSE Bug 1067166 for CVE-2017-16641",
"url": "https://bugzilla.suse.com/1067166"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2017-16641"
},
{
"cve": "CVE-2017-16660",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-16660"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-16660",
"url": "https://www.suse.com/security/cve/CVE-2017-16660"
},
{
"category": "external",
"summary": "SUSE Bug 1067164 for CVE-2017-16660",
"url": "https://bugzilla.suse.com/1067164"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2017-16660"
},
{
"cve": "CVE-2017-16661",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-16661"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-16661",
"url": "https://www.suse.com/security/cve/CVE-2017-16661"
},
{
"category": "external",
"summary": "SUSE Bug 1067163 for CVE-2017-16661",
"url": "https://bugzilla.suse.com/1067163"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-16661"
},
{
"cve": "CVE-2017-16785",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-16785"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-16785",
"url": "https://www.suse.com/security/cve/CVE-2017-16785"
},
{
"category": "external",
"summary": "SUSE Bug 1068028 for CVE-2017-16785",
"url": "https://bugzilla.suse.com/1068028"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2017-16785"
},
{
"cve": "CVE-2018-20723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20723"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20723",
"url": "https://www.suse.com/security/cve/CVE-2018-20723"
},
{
"category": "external",
"summary": "SUSE Bug 1122245 for CVE-2018-20723",
"url": "https://bugzilla.suse.com/1122245"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-20723"
},
{
"cve": "CVE-2018-20724",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20724"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20724",
"url": "https://www.suse.com/security/cve/CVE-2018-20724"
},
{
"category": "external",
"summary": "SUSE Bug 1122244 for CVE-2018-20724",
"url": "https://bugzilla.suse.com/1122244"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-20724"
},
{
"cve": "CVE-2018-20725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20725"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20725",
"url": "https://www.suse.com/security/cve/CVE-2018-20725"
},
{
"category": "external",
"summary": "SUSE Bug 1122243 for CVE-2018-20725",
"url": "https://bugzilla.suse.com/1122243"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-20725"
},
{
"cve": "CVE-2018-20726",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-20726"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-20726",
"url": "https://www.suse.com/security/cve/CVE-2018-20726"
},
{
"category": "external",
"summary": "SUSE Bug 1122242 for CVE-2018-20726",
"url": "https://bugzilla.suse.com/1122242"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-20726"
},
{
"cve": "CVE-2019-16723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16723"
}
],
"notes": [
{
"category": "general",
"text": "In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16723",
"url": "https://www.suse.com/security/cve/CVE-2019-16723"
},
{
"category": "external",
"summary": "SUSE Bug 1151788 for CVE-2019-16723",
"url": "https://bugzilla.suse.com/1151788"
},
{
"category": "external",
"summary": "SUSE Bug 1214170 for CVE-2019-16723",
"url": "https://bugzilla.suse.com/1214170"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-16723"
},
{
"cve": "CVE-2019-17357",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17357"
}
],
"notes": [
{
"category": "general",
"text": "Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17357",
"url": "https://www.suse.com/security/cve/CVE-2019-17357"
},
{
"category": "external",
"summary": "SUSE Bug 1158990 for CVE-2019-17357",
"url": "https://bugzilla.suse.com/1158990"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-17357"
},
{
"cve": "CVE-2019-17358",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-17358"
}
],
"notes": [
{
"category": "general",
"text": "Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-17358",
"url": "https://www.suse.com/security/cve/CVE-2019-17358"
},
{
"category": "external",
"summary": "SUSE Bug 1158992 for CVE-2019-17358",
"url": "https://bugzilla.suse.com/1158992"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-17358"
},
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
},
{
"cve": "CVE-2020-13625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-13625"
}
],
"notes": [
{
"category": "general",
"text": "PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-13625",
"url": "https://www.suse.com/security/cve/CVE-2020-13625"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-13625",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-13625"
},
{
"cve": "CVE-2020-14295",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14295"
}
],
"notes": [
{
"category": "general",
"text": "A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14295",
"url": "https://www.suse.com/security/cve/CVE-2020-14295"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-14295",
"url": "https://bugzilla.suse.com/1173090"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14295"
},
{
"cve": "CVE-2020-14424",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14424"
}
],
"notes": [
{
"category": "general",
"text": "Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14424",
"url": "https://www.suse.com/security/cve/CVE-2020-14424"
},
{
"category": "external",
"summary": "SUSE Bug 1188188 for CVE-2020-14424",
"url": "https://bugzilla.suse.com/1188188"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-14424"
},
{
"cve": "CVE-2020-25706",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25706"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25706",
"url": "https://www.suse.com/security/cve/CVE-2020-25706"
},
{
"category": "external",
"summary": "SUSE Bug 1174850 for CVE-2020-25706",
"url": "https://bugzilla.suse.com/1174850"
},
{
"category": "external",
"summary": "SUSE Bug 1178677 for CVE-2020-25706",
"url": "https://bugzilla.suse.com/1178677"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-25706"
},
{
"cve": "CVE-2020-35701",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-35701"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-35701",
"url": "https://www.suse.com/security/cve/CVE-2020-35701"
},
{
"category": "external",
"summary": "SUSE Bug 1180804 for CVE-2020-35701",
"url": "https://bugzilla.suse.com/1180804"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-35701"
},
{
"cve": "CVE-2020-7106",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7106"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7106",
"url": "https://www.suse.com/security/cve/CVE-2020-7106"
},
{
"category": "external",
"summary": "SUSE Bug 1163749 for CVE-2020-7106",
"url": "https://bugzilla.suse.com/1163749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-7106"
},
{
"cve": "CVE-2020-7237",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7237"
}
],
"notes": [
{
"category": "general",
"text": "Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7237",
"url": "https://www.suse.com/security/cve/CVE-2020-7237"
},
{
"category": "external",
"summary": "SUSE Bug 1161297 for CVE-2020-7237",
"url": "https://bugzilla.suse.com/1161297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-7237"
},
{
"cve": "CVE-2020-8813",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8813"
}
],
"notes": [
{
"category": "general",
"text": "graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8813",
"url": "https://www.suse.com/security/cve/CVE-2020-8813"
},
{
"category": "external",
"summary": "SUSE Bug 1154087 for CVE-2020-8813",
"url": "https://bugzilla.suse.com/1154087"
},
{
"category": "external",
"summary": "SUSE Bug 1160867 for CVE-2020-8813",
"url": "https://bugzilla.suse.com/1160867"
},
{
"category": "external",
"summary": "SUSE Bug 1164675 for CVE-2020-8813",
"url": "https://bugzilla.suse.com/1164675"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cacti-1.2.18-1.2.aarch64",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.ppc64le",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.s390x",
"openSUSE Tumbleweed:cacti-1.2.18-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2020-8813"
}
]
}
OPENSUSE-SU-2024:12107-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
testng-7.4.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: testng-7.4.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the testng-7.4.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12107
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:testng-7.4.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-7.4.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-7.4.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-7.4.0-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2020-11022/ | self |
| https://www.suse.com/security/cve/CVE-2020-11022 | external |
| https://bugzilla.suse.com/1173090 | external |
| https://bugzilla.suse.com/1178434 | external |
| https://bugzilla.suse.com/1190663 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "testng-7.4.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the testng-7.4.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12107",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12107-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
}
],
"title": "testng-7.4.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12107-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "testng-7.4.0-2.1.aarch64",
"product": {
"name": "testng-7.4.0-2.1.aarch64",
"product_id": "testng-7.4.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "testng-javadoc-7.4.0-2.1.aarch64",
"product": {
"name": "testng-javadoc-7.4.0-2.1.aarch64",
"product_id": "testng-javadoc-7.4.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "testng-7.4.0-2.1.ppc64le",
"product": {
"name": "testng-7.4.0-2.1.ppc64le",
"product_id": "testng-7.4.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "testng-javadoc-7.4.0-2.1.ppc64le",
"product": {
"name": "testng-javadoc-7.4.0-2.1.ppc64le",
"product_id": "testng-javadoc-7.4.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "testng-7.4.0-2.1.s390x",
"product": {
"name": "testng-7.4.0-2.1.s390x",
"product_id": "testng-7.4.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "testng-javadoc-7.4.0-2.1.s390x",
"product": {
"name": "testng-javadoc-7.4.0-2.1.s390x",
"product_id": "testng-javadoc-7.4.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "testng-7.4.0-2.1.x86_64",
"product": {
"name": "testng-7.4.0-2.1.x86_64",
"product_id": "testng-7.4.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "testng-javadoc-7.4.0-2.1.x86_64",
"product": {
"name": "testng-javadoc-7.4.0-2.1.x86_64",
"product_id": "testng-javadoc-7.4.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-7.4.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-7.4.0-2.1.aarch64"
},
"product_reference": "testng-7.4.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-7.4.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-7.4.0-2.1.ppc64le"
},
"product_reference": "testng-7.4.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-7.4.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-7.4.0-2.1.s390x"
},
"product_reference": "testng-7.4.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-7.4.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-7.4.0-2.1.x86_64"
},
"product_reference": "testng-7.4.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-javadoc-7.4.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.aarch64"
},
"product_reference": "testng-javadoc-7.4.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-javadoc-7.4.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.ppc64le"
},
"product_reference": "testng-javadoc-7.4.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-javadoc-7.4.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.s390x"
},
"product_reference": "testng-javadoc-7.4.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "testng-javadoc-7.4.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.x86_64"
},
"product_reference": "testng-javadoc-7.4.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:testng-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-7.4.0-2.1.x86_64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:testng-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-7.4.0-2.1.x86_64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:testng-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-7.4.0-2.1.x86_64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.aarch64",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.ppc64le",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.s390x",
"openSUSE Tumbleweed:testng-javadoc-7.4.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
}
]
}
OPENSUSE-SU-2026:10764-1
Vulnerability from csaf_opensuse - Published: 2026-05-12 00:00 - Updated: 2026-05-12 00:00Summary
syncthing-2.1.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: syncthing-2.1.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the syncthing-2.1.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10764
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:syncthing-2.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-2.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-2.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-2.1.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2020-11022/ | self |
| https://www.suse.com/security/cve/CVE-2020-11022 | external |
| https://bugzilla.suse.com/1173090 | external |
| https://bugzilla.suse.com/1178434 | external |
| https://bugzilla.suse.com/1190663 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "syncthing-2.1.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the syncthing-2.1.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10764",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10764-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11022 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11022/"
}
],
"title": "syncthing-2.1.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-12T00:00:00Z",
"generator": {
"date": "2026-05-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10764-1",
"initial_release_date": "2026-05-12T00:00:00Z",
"revision_history": [
{
"date": "2026-05-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "syncthing-2.1.0-1.1.aarch64",
"product": {
"name": "syncthing-2.1.0-1.1.aarch64",
"product_id": "syncthing-2.1.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "syncthing-relaysrv-2.1.0-1.1.aarch64",
"product": {
"name": "syncthing-relaysrv-2.1.0-1.1.aarch64",
"product_id": "syncthing-relaysrv-2.1.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "syncthing-2.1.0-1.1.ppc64le",
"product": {
"name": "syncthing-2.1.0-1.1.ppc64le",
"product_id": "syncthing-2.1.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "syncthing-relaysrv-2.1.0-1.1.ppc64le",
"product": {
"name": "syncthing-relaysrv-2.1.0-1.1.ppc64le",
"product_id": "syncthing-relaysrv-2.1.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "syncthing-2.1.0-1.1.s390x",
"product": {
"name": "syncthing-2.1.0-1.1.s390x",
"product_id": "syncthing-2.1.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "syncthing-relaysrv-2.1.0-1.1.s390x",
"product": {
"name": "syncthing-relaysrv-2.1.0-1.1.s390x",
"product_id": "syncthing-relaysrv-2.1.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "syncthing-2.1.0-1.1.x86_64",
"product": {
"name": "syncthing-2.1.0-1.1.x86_64",
"product_id": "syncthing-2.1.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "syncthing-relaysrv-2.1.0-1.1.x86_64",
"product": {
"name": "syncthing-relaysrv-2.1.0-1.1.x86_64",
"product_id": "syncthing-relaysrv-2.1.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-2.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-2.1.0-1.1.aarch64"
},
"product_reference": "syncthing-2.1.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-2.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-2.1.0-1.1.ppc64le"
},
"product_reference": "syncthing-2.1.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-2.1.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-2.1.0-1.1.s390x"
},
"product_reference": "syncthing-2.1.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-2.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-2.1.0-1.1.x86_64"
},
"product_reference": "syncthing-2.1.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-relaysrv-2.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.aarch64"
},
"product_reference": "syncthing-relaysrv-2.1.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-relaysrv-2.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.ppc64le"
},
"product_reference": "syncthing-relaysrv-2.1.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-relaysrv-2.1.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.s390x"
},
"product_reference": "syncthing-relaysrv-2.1.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-relaysrv-2.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.x86_64"
},
"product_reference": "syncthing-relaysrv-2.1.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11022"
}
],
"notes": [
{
"category": "general",
"text": "In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.x86_64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11022",
"url": "https://www.suse.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "SUSE Bug 1173090 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1173090"
},
{
"category": "external",
"summary": "SUSE Bug 1178434 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1178434"
},
{
"category": "external",
"summary": "SUSE Bug 1190663 for CVE-2020-11022",
"url": "https://bugzilla.suse.com/1190663"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.x86_64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-2.1.0-1.1.x86_64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.aarch64",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.s390x",
"openSUSE Tumbleweed:syncthing-relaysrv-2.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11022"
}
]
}
RHSA-2020:2217
Vulnerability from csaf_redhat - Published: 2020-05-28 14:58 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: OpenShift Container Platform 3.11 security update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Container Platform release 3.11.219 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* jquery: Cross-site scripting was present due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 3.11.219 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* jquery: Cross-site scripting was present due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2217",
"url": "https://access.redhat.com/errata/RHSA-2020:2217"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2217.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 3.11 security update",
"tracking": {
"current_release_date": "2026-05-14T22:25:32+00:00",
"generator": {
"date": "2026-05-14T22:25:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2217",
"initial_release_date": "2020-05-28T14:58:14+00:00",
"revision_history": [
{
"date": "2020-05-28T14:58:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-05-28T14:58:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 3.11",
"product": {
"name": "Red Hat OpenShift Container Platform 3.11",
"product_id": "7Server-RH7-RHOSE-3.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.11::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"product": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"product_id": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.219-1.git.1.9b9b889.el7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64",
"product": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64",
"product_id": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.219-1.git.1.9b9b889.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"product": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"product_id": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/atomic-openshift-web-console@3.11.219-1.git.1.9b9b889.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le as a component of Red Hat OpenShift Container Platform 3.11",
"product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le"
},
"product_reference": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src as a component of Red Hat OpenShift Container Platform 3.11",
"product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src"
},
"product_reference": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.11",
"product_id": "7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64"
},
"product_reference": "atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.11"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-05-28T14:58:14+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system is applied.\n\nSee the following documentation, which will be updated shortly for release\n3.11.219, for important instructions on how to upgrade your cluster and fully\napply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258.",
"product_ids": [
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2217"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.ppc64le",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.src",
"7Server-RH7-RHOSE-3.11:atomic-openshift-web-console-0:3.11.219-1.git.1.9b9b889.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
}
]
}
RHSA-2020:2362
Vulnerability from csaf_redhat - Published: 2020-06-02 15:34 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update
Severity
Moderate
Notes
Topic: An update for jaeger, kiali, and servicemesh-grafana is now available for OpenShift Service Mesh 1.0.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744)
* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
9.1 (Critical)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a "constructor" or "__proto__" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
5.6 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml.
6.2 (Medium)
Affected products
Fixed
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jaeger, kiali, and servicemesh-grafana is now available for OpenShift Service Mesh 1.0.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744)\n\n* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2362",
"url": "https://access.redhat.com/errata/RHSA-2020:2362"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1739497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1739497"
},
{
"category": "external",
"summary": "1813344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813344"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1829724",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829724"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2362.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update",
"tracking": {
"current_release_date": "2026-05-14T22:25:27+00:00",
"generator": {
"date": "2026-05-14T22:25:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2362",
"initial_release_date": "2020-06-02T15:34:01+00:00",
"revision_history": [
{
"date": "2020-06-02T15:34:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-02T15:34:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 1.0",
"product": {
"name": "Red Hat OpenShift Service Mesh 1.0",
"product_id": "7Server-RH7-RHOSSM-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.0::el7"
}
}
},
{
"category": "product_name",
"name": "OpenShift Service Mesh 1.0",
"product": {
"name": "OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"product": {
"name": "jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"product_id": "jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jaeger@v1.13.1.redhat7-1.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"product": {
"name": "kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"product_id": "kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.0.11.redhat1-1.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"product": {
"name": "servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"product_id": "servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.2.2-36.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64",
"product": {
"name": "servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64",
"product_id": "servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana-prometheus@6.2.2-36.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "jaeger-0:v1.13.1.redhat7-1.el7.src",
"product": {
"name": "jaeger-0:v1.13.1.redhat7-1.el7.src",
"product_id": "jaeger-0:v1.13.1.redhat7-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jaeger@v1.13.1.redhat7-1.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.0.11.redhat1-1.el7.src",
"product": {
"name": "kiali-0:v1.0.11.redhat1-1.el7.src",
"product_id": "kiali-0:v1.0.11.redhat1-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.0.11.redhat1-1.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.2.2-36.el8.src",
"product": {
"name": "servicemesh-grafana-0:6.2.2-36.el8.src",
"product_id": "servicemesh-grafana-0:6.2.2-36.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.2.2-36.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jaeger-0:v1.13.1.redhat7-1.el7.src as a component of Red Hat OpenShift Service Mesh 1.0",
"product_id": "7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src"
},
"product_reference": "jaeger-0:v1.13.1.redhat7-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jaeger-0:v1.13.1.redhat7-1.el7.x86_64 as a component of Red Hat OpenShift Service Mesh 1.0",
"product_id": "7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64"
},
"product_reference": "jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.0.11.redhat1-1.el7.src as a component of Red Hat OpenShift Service Mesh 1.0",
"product_id": "7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src"
},
"product_reference": "kiali-0:v1.0.11.redhat1-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.0.11.redhat1-1.el7.x86_64 as a component of Red Hat OpenShift Service Mesh 1.0",
"product_id": "7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64"
},
"product_reference": "kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.2.2-36.el8.src as a component of OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src"
},
"product_reference": "servicemesh-grafana-0:6.2.2-36.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.2.2-36.el8.x86_64 as a component of OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64"
},
"product_reference": "servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64 as a component of OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
},
"product_reference": "servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-10744",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2019-07-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1739497"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release.\n\nhttps://www.elastic.co/community/security\n\nThis issue did not affect the versions of rh-nodejs8-nodejs and rh-nodejs10-nodejs as shipped with Red Hat Software Collections.\n\nWhilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary.\n\nRed Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10744"
},
{
"category": "external",
"summary": "RHBZ#1739497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1739497"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744"
}
],
"release_date": "2019-08-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-02T15:34:01+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2362"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties"
},
{
"cve": "CVE-2020-7598",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-03-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1813344"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-minimist, where it was tricked into adding or modifying properties of the Object.prototype using a \"constructor\" or \"__proto__\" payload. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay only includes minimist as a dependency of the test suites, and it not include it in the product. We may fix this issue in a future Red Hat Quay release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7598"
},
{
"category": "external",
"summary": "RHBZ#1813344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7598",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764",
"url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764"
}
],
"release_date": "2020-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-02T15:34:01+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2362"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-02T15:34:01+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2362"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-12459",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1829724"
}
],
"notes": [
{
"category": "description",
"text": "An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: information disclosure through world-readable grafana configuration files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files.\n\nThis issue did not affect the version of grafana as shipped with Red Hat Gluster Storage 3, as it ships grafana v4.6.4 which sets correct permissions for configuration files.\n\nIn both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it\u0027s run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12459"
},
{
"category": "external",
"summary": "RHBZ#1829724",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1829724"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12459",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12459"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12459",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12459"
}
],
"release_date": "2020-04-23T20:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-02T15:34:01+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2362"
},
{
"category": "workaround",
"details": "Manually change the files permission to remove readable bits for others:\n\n# chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml",
"product_ids": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.src",
"7Server-RH7-RHOSSM-1.0:jaeger-0:v1.13.1.redhat7-1.el7.x86_64",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.src",
"7Server-RH7-RHOSSM-1.0:kiali-0:v1.0.11.redhat1-1.el7.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.src",
"8Base-OSSM-1.0:servicemesh-grafana-0:6.2.2-36.el8.x86_64",
"8Base-OSSM-1.0:servicemesh-grafana-prometheus-0:6.2.2-36.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "grafana: information disclosure through world-readable grafana configuration files"
}
]
}
RHSA-2020:2412
Vulnerability from csaf_redhat - Published: 2020-07-13 17:22 - Updated: 2026-05-25 14:23Summary
Red Hat Security Advisory: OpenShift Container Platform 4.5 container image security update
Severity
Moderate
Notes
Topic: An update is now available for Red Hat OpenShift Container Platform 4.5.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allowed for panic (CVE-2020-9283)
* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)
* js-jquery: prototype pollution in object's prototype led to denial of service or remote code execution or property injection (CVE-2019-11358)
* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)
* containernetworking/plugins: IPv6 router advertisements allowed for MitM attacks on IPv4 clusters (CVE-2020-10749)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
6.5 (Medium)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
5.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Low
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
6.0 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Threats
Impact
Moderate
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
References
51 references
Acknowledgments
the Kubernetes Product Security Committee
Palo Alto Networks
Yuval Avrahami
Ariel Zelivansky
Ericsson
János Kövér
NCC Group
Rory McCune
Etienne Champetier
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift Container Platform 4.5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allowed for panic (CVE-2020-9283)\n\n* kubernetes: Denial of service in API server via crafted YAML payloads by authorized users (CVE-2019-11254)\n\n* js-jquery: prototype pollution in object\u0027s prototype led to denial of service or remote code execution or property injection (CVE-2019-11358)\n\n* kubernetes: node localhost services reachable via martian packets (CVE-2020-8558)\n\n* containernetworking/plugins: IPv6 router advertisements allowed for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2412",
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2412.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.5 container image security update",
"tracking": {
"current_release_date": "2026-05-25T14:23:42+00:00",
"generator": {
"date": "2026-05-25T14:23:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2020:2412",
"initial_release_date": "2020-07-13T17:22:28+00:00",
"revision_history": [
{
"date": "2020-07-13T17:22:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-13T17:22:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-25T14:23:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.5",
"product": {
"name": "Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product": {
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product_id": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-logging-operator\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product": {
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product_id": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-multus-cni\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product": {
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product_id": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-oauth-server-rhel7\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product": {
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product_id": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-capacity\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product": {
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product_id": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-console\u0026tag=v4.5.0-202007012112.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product": {
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product_id": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-hyperkube\u0026tag=v4.5.0-202007100518.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product": {
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product_id": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-machine-approver\u0026tag=v4.5.0-202007012112.p0"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64"
},
"product_reference": "openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
},
"product_reference": "openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64"
},
"product_reference": "openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
},
"product_reference": "openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
},
"product_reference": "openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
},
"product_reference": "openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
},
"product_reference": "openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-11252",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2020-07-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1860158"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows the logging of credentials when mounting AzureFile and CephFS volumes. This flaw allows an attacker to access kubelet logs, read the credentials, and use them to access other services. The highest threat from this vulnerability is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) included the upstream patch for this flaw in the release of version 4.5. Prior versions are affected as OCP 4 supports AzureFile volumes and OCP 3 supports both AzureFile and CephFS volumes. OCP clusters not using these volume types are not vulnerable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11252"
},
{
"category": "external",
"summary": "RHBZ#1860158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860158"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11252"
}
],
"release_date": "2020-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephFS volumes"
},
{
"cve": "CVE-2019-11254",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-04-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1819486"
}
],
"notes": [
{
"category": "description",
"text": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The upstream Kubernetes fix for this vulnerability is to update the version of the Go dependency, gopkg.in/yaml.v2. This issue affects OpenShift Container Platform components that use versions before 2.2.8 of gopkg.in/yaml.v2 and accept YAML payloads.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11254"
},
{
"category": "external",
"summary": "RHBZ#1819486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819486"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc"
}
],
"release_date": "2020-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Prevent unauthenticated or unauthorized access to the API server",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Yuval Avrahami",
"Ariel Zelivansky"
],
"organization": "Palo Alto Networks",
"summary": "Acknowledged by upstream."
},
{
"names": [
"J\u00e1nos K\u00f6v\u00e9r"
],
"organization": "Ericsson",
"summary": "Acknowledged by upstream."
},
{
"names": [
"Rory McCune"
],
"organization": "NCC Group",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-8558",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1843358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes: node localhost services reachable via martian packets",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8558"
},
{
"category": "external",
"summary": "RHBZ#1843358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8558",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8558"
},
{
"category": "external",
"summary": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE"
}
],
"release_date": "2020-07-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes: node localhost services reachable via martian packets"
},
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
},
{
"acknowledgments": [
{
"names": [
"the Kubernetes Product Security Committee"
]
},
{
"names": [
"Etienne Champetier"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2020-10749",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2020-05-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1833220"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending \u201crogue\u201d IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes.\n\nIPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10749"
},
{
"category": "external",
"summary": "RHBZ#1833220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1833220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10749",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10749"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8",
"url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8"
}
],
"release_date": "2020-06-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-13T17:22:28+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for release 4.5.1, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2412"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-capacity@sha256:d5e08d20c26a06ba87da356e9d2214b3c2a9b0f95b7e38028afbd8bb48b1ca92_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-logging-operator@sha256:ba8d0825e4a292d16eae81a02bc24bb069ed547e9d1910449746cf0a643d2fe2_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-machine-approver@sha256:42c4d1b8d4597b6d36f0d38579484bfeae16bbbdcf08801405ee19e6758a361d_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-console@sha256:9b3eae3982cbfe287635f85a3eecf9aabdb233d3e6c8df725190e214d4521034_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-hyperkube@sha256:4e2b3627fe571bc63d57290cf96b914d45ebe2e0efe0b14bd3530fd34e7b288c_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-multus-cni@sha256:2a2674e5f2422cb2f1c61299cbd5a72576161d12707f86b5131e46c13d5f33e3_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-oauth-server-rhel7@sha256:143209653c725c16da6312e1cc7cc1a8c6ac634aee1eb6d5d52c31244cadc6df_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…