Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-14040 (GCVE-0-2020-14040)
Vulnerability from cvelistv5 – Published: 2020-06-17 19:22 – Updated: 2024-08-04 12:32
VLAI
EPSS
Summary
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://groups.google.com/forum/#%21topic/golang-… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.681Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-07T18:06:10.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14040",
"datePublished": "2020-06-17T19:22:31.000Z",
"dateReserved": "2020-06-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-14040",
"date": "2026-05-28",
"epss": "8e-05",
"percentile": "0.00695"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14040\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-06-17T20:15:09.993\",\"lastModified\":\"2024-11-21T05:02:25.223\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.\"},{\"lang\":\"es\",\"value\":\"El paquete x/text anterior a la versi\u00f3n 0.3.3 para Go tiene una vulnerabilidad en la codificaci\u00f3n/unicode que podr\u00eda llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podr\u00eda proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la funci\u00f3n String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.3\",\"matchCriteriaId\":\"C111DDBC-C8B1-498F-8F36-C8AB6E1134D7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}],\"references\":[{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
alsa-2020:4694
Vulnerability from osv_almalinux
Published
2020-11-03 12:27
Modified
2020-11-03 19:50
Summary
Moderate: container-tools:rhel8 security, bug fix, and enhancement update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
-
containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)
-
QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)
-
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+2635+e4386a39"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python-podman-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-0.2.gitd0a45fe.module_el8.5.0+108+00865455"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)\n\n* QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2020:4694",
"modified": "2020-11-03T19:50:37Z",
"published": "2020-11-03T12:27:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2020-4694.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10749"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10756"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-14040"
}
],
"related": [
"CVE-2020-10749",
"CVE-2020-10756",
"CVE-2020-14040"
],
"summary": "Moderate: container-tools:rhel8 security, bug fix, and enhancement update"
}
CERTFR-2022-AVI-591
Vulnerability from certfr_avis - Published: 2022-06-30 - Updated: 2022-06-30
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Plus versions antérieures à 10.1.11 | ||
| IBM | Spectrum | IBM Spectrum Protect Client versions antérieures à 8.1.1.15 | ||
| IBM | N/A | IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0 | ||
| IBM | Db2 | IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-29368",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
},
{
"name": "CVE-2021-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
},
{
"name": "CVE-2018-1099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
},
{
"name": "CVE-2021-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
},
{
"name": "CVE-2021-45485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
},
{
"name": "CVE-2022-27191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
},
{
"name": "CVE-2021-30465",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
},
{
"name": "CVE-2019-11249",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
},
{
"name": "CVE-2020-8557",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
},
{
"name": "CVE-2020-7919",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
},
{
"name": "CVE-2019-11247",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
},
{
"name": "CVE-2020-28851",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
},
{
"name": "CVE-2021-42248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
},
{
"name": "CVE-2018-1002105",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2020-15112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
},
{
"name": "CVE-2021-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
},
{
"name": "CVE-2021-25736",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
},
{
"name": "CVE-2020-27813",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
},
{
"name": "CVE-2018-17848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
},
{
"name": "CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"name": "CVE-2021-41864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
},
{
"name": "CVE-2020-36385",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
},
{
"name": "CVE-2020-25704",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
},
{
"name": "CVE-2021-25735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
},
{
"name": "CVE-2017-18367",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
},
{
"name": "CVE-2020-8564",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
},
{
"name": "CVE-2021-20206",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
},
{
"name": "CVE-2019-11246",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
},
{
"name": "CVE-2021-31916",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
},
{
"name": "CVE-2021-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
},
{
"name": "CVE-2018-1098",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
},
{
"name": "CVE-2021-28971",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
},
{
"name": "CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"name": "CVE-2022-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
},
{
"name": "CVE-2021-4002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
},
{
"name": "CVE-2021-4083",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
},
{
"name": "CVE-2021-45486",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
},
{
"name": "CVE-2020-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
},
{
"name": "CVE-2017-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
},
{
"name": "CVE-2021-4157",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
},
{
"name": "CVE-2020-15106",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
},
{
"name": "CVE-2021-43784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
},
{
"name": "CVE-2021-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
},
{
"name": "CVE-2018-17142",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
},
{
"name": "CVE-2022-0185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
},
{
"name": "CVE-2022-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-44733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
},
{
"name": "CVE-2020-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
},
{
"name": "CVE-2021-20269",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
},
{
"name": "CVE-2020-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
},
{
"name": "CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"name": "CVE-2021-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2022-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
},
{
"name": "CVE-2022-1011",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
},
{
"name": "CVE-2021-3669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
},
{
"name": "CVE-2020-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
},
{
"name": "CVE-2020-10752",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
},
{
"name": "CVE-2021-28950",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
},
{
"name": "CVE-2021-29650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
},
{
"name": "CVE-2020-36322",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
},
{
"name": "CVE-2020-28852",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
},
{
"name": "CVE-2021-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
},
{
"name": "CVE-2020-15113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2018-17847",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2020-26160",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-42836",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
},
{
"name": "CVE-2020-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2018-17143",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
},
{
"name": "CVE-2019-11841",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
},
{
"name": "CVE-2018-20699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2021-3764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
},
{
"name": "CVE-2019-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
},
{
"name": "CVE-2021-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
},
{
"name": "CVE-2021-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
},
{
"name": "CVE-2022-0850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
},
{
"name": "CVE-2021-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2021-25737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
},
{
"name": "CVE-2018-17846",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
},
{
"name": "CVE-2021-4028",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
},
{
"name": "CVE-2021-43565",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
},
{
"name": "CVE-2021-25741",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
},
{
"name": "CVE-2018-16886",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2021-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2019-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
},
{
"name": "CVE-2019-11251",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
},
{
"name": "CVE-2020-36067",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
}
],
"initial_release_date": "2022-06-30T00:00:00",
"last_revision_date": "2022-06-30T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596399"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596971"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6599703"
}
]
}
CERTFR-2025-AVI-0582
Vulnerability from certfr_avis - Published: 2025-07-10 - Updated: 2025-07-10
De multiples vulnérabilités ont été découvertes dans les produits Palo Alto Networks. Elles permettent à un attaquant de provoquer une élévation de privilèges, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Palo Alto Networks indique que la vulnérabilité CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploitée.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Palo Alto Networks | N/A | Autonomous Digital Experience Manager versions 5.6.x antérieures à 5.6.7 sur macOS | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8 sur Linux (disponibilité prévue pour le 11 juillet 2025) | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.2.x antérieures à 6.2.8-h2 (6.2.8-c243) sur macOS et Windows | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x | ||
| Palo Alto Networks | GlobalProtect App | GlobalProtect App versions 6.3.x antérieures à 6.3.3-h1 (6.3.3-c650) sur macOS et Windows | ||
| Palo Alto Networks | Prisma Access Browser | Prisma Access Browser versions antérieures à 138.33.5.97 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Autonomous Digital Experience Manager versions 5.6.x ant\u00e9rieures \u00e0 5.6.7 sur macOS",
"product": {
"name": "N/A",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8 sur Linux (disponibilit\u00e9 pr\u00e9vue pour le 11 juillet 2025)",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.2.x ant\u00e9rieures \u00e0 6.2.8-h2 (6.2.8-c243) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.1.x et GlobalProtect App versions 6.0.x ",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "GlobalProtect App versions 6.3.x ant\u00e9rieures \u00e0 6.3.3-h1 (6.3.3-c650) sur macOS et Windows",
"product": {
"name": "GlobalProtect App",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
},
{
"description": "Prisma Access Browser versions ant\u00e9rieures \u00e0 138.33.5.97",
"product": {
"name": "Prisma Access Browser",
"vendor": {
"name": "Palo Alto Networks",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2020-13434",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13434"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2025-5959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5959"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2021-20305",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20305"
},
{
"name": "CVE-2025-6192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6192"
},
{
"name": "CVE-2019-5827",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5827"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2025-0140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0140"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2025-6557",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6557"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2020-15358",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15358"
},
{
"name": "CVE-2025-0139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0139"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2019-13751",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13751"
},
{
"name": "CVE-2025-0141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0141"
},
{
"name": "CVE-2025-6556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6556"
},
{
"name": "CVE-2023-27536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27536"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2019-13750",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-13750"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2024-1086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1086"
},
{
"name": "CVE-2025-6191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6191"
},
{
"name": "CVE-2025-6554",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6554"
},
{
"name": "CVE-2025-5958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5958"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2019-19603",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19603"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2020-13435",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13435"
},
{
"name": "CVE-2025-6555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6555"
}
],
"initial_release_date": "2025-07-10T00:00:00",
"last_revision_date": "2025-07-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0582",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Palo Alto Networks. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n\nPalo Alto Networks indique que la vuln\u00e9rabilit\u00e9 CVE-2025-6554, qui affecte Prisma Access Browser, est activement exploit\u00e9e.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Palo Alto Networks",
"vendor_advisories": [
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0139",
"url": "https://security.paloaltonetworks.com/CVE-2025-0139"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0140",
"url": "https://security.paloaltonetworks.com/CVE-2025-0140"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0012",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0012"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks CVE-2025-0141",
"url": "https://security.paloaltonetworks.com/CVE-2025-0141"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Palo Alto Networks PAN-SA-2025-0013",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0013"
}
]
}
FKIE_CVE-2020-14040
Vulnerability from fkie_nvd - Published: 2020-06-17 20:15 - Updated: 2024-11-21 05:02
Severity
Summary
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| golang | text | * | |
| fedoraproject | fedora | 32 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C111DDBC-C8B1-498F-8F36-C8AB6E1134D7",
"versionEndExcluding": "0.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
},
{
"lang": "es",
"value": "El paquete x/text anterior a la versi\u00f3n 0.3.3 para Go tiene una vulnerabilidad en la codificaci\u00f3n/unicode que podr\u00eda llevar al decodificador UTF-16 a ingresar en un bucle infinito, causando que el programa se bloquee o se ejecute fuera de la memoria. Un atacante podr\u00eda proporcionar un solo byte a un decodificador UTF16 instanciado con UseBOM o ExpectBOM para activar un bucle infinito si se llama a la funci\u00f3n String en el Decoder, o el Decoder es pasado a golang.org/x/text/transform.String"
}
],
"id": "CVE-2020-14040",
"lastModified": "2024-11-21T05:02:25.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-17T20:15:09.993",
"references": [
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-5RCV-M4M3-HFH7
Vulnerability from github – Published: 2021-05-18 18:34 – Updated: 2024-05-20 19:24
VLAI
Summary
golang.org/x/text Infinite loop
Details
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Specific Go Packages Affected
golang.org/x/text/encoding/unicode golang.org/x/text/transform
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/text"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14040"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T14:54:58Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.\n\n### Specific Go Packages Affected\ngolang.org/x/text/encoding/unicode\ngolang.org/x/text/transform",
"id": "GHSA-5rcv-m4m3-hfh7",
"modified": "2024-05-20T19:24:15Z",
"published": "2021-05-18T18:34:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/39491"
},
{
"type": "WEB",
"url": "https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "WEB",
"url": "https://go-review.googlesource.com/c/text/+/238238"
},
{
"type": "WEB",
"url": "https://go.dev/cl/238238"
},
{
"type": "WEB",
"url": "https://go.dev/issue/39491"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/bXVeAmGOqz0"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/text Infinite loop"
}
GSD-2020-14040
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-14040",
"description": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"id": "GSD-2020-14040",
"references": [
"https://www.suse.com/security/cve/CVE-2020-14040.html",
"https://access.redhat.com/errata/RHSA-2021:3140",
"https://access.redhat.com/errata/RHSA-2021:2039",
"https://access.redhat.com/errata/RHSA-2021:1369",
"https://access.redhat.com/errata/RHSA-2021:1168",
"https://access.redhat.com/errata/RHSA-2021:1129",
"https://access.redhat.com/errata/RHSA-2021:0980",
"https://access.redhat.com/errata/RHSA-2021:0799",
"https://access.redhat.com/errata/RHSA-2021:0420",
"https://access.redhat.com/errata/RHSA-2020:5635",
"https://access.redhat.com/errata/RHSA-2020:5633",
"https://access.redhat.com/errata/RHSA-2020:5606",
"https://access.redhat.com/errata/RHSA-2020:5605",
"https://access.redhat.com/errata/RHSA-2020:5198",
"https://access.redhat.com/errata/RHSA-2020:5149",
"https://access.redhat.com/errata/RHSA-2020:5056",
"https://access.redhat.com/errata/RHSA-2020:5055",
"https://access.redhat.com/errata/RHSA-2020:5054",
"https://access.redhat.com/errata/RHSA-2020:4694",
"https://access.redhat.com/errata/RHSA-2020:4298",
"https://access.redhat.com/errata/RHSA-2020:4297",
"https://access.redhat.com/errata/RHSA-2020:4214",
"https://access.redhat.com/errata/RHSA-2020:3783",
"https://access.redhat.com/errata/RHSA-2020:3780",
"https://access.redhat.com/errata/RHSA-2020:3727",
"https://access.redhat.com/errata/RHSA-2020:3665",
"https://access.redhat.com/errata/RHSA-2020:3578",
"https://access.redhat.com/errata/RHSA-2020:3372",
"https://access.redhat.com/errata/RHSA-2020:3369",
"https://access.redhat.com/errata/RHSA-2020:3087",
"https://alas.aws.amazon.com/cve/html/CVE-2020-14040.html",
"https://linux.oracle.com/cve/CVE-2020-14040.html",
"https://ubuntu.com/security/CVE-2020-14040"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-14040"
],
"details": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"id": "GSD-2020-14040",
"modified": "2023-12-13T01:21:59.890740Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.3.3",
"affected_versions": "All versions before 0.3.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-835",
"CWE-937"
],
"date": "2020-11-18",
"description": "The `x/text` package for Go has a vulnerability in `encoding/unicode` that could lead to the `UTF-16` decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a `UTF16` decoder instantiated with `UseBOM` or `ExpectBOM` to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to `golang.org/x/text/transform.String`.",
"fixed_versions": [
"v0.3.3"
],
"identifier": "CVE-2020-14040",
"identifiers": [
"CVE-2020-14040"
],
"not_impacted": "All versions starting from 0.3.3",
"package_slug": "go/golang.org/x/text",
"pubdate": "2020-06-17",
"solution": "Upgrade to version 0.3.3 or above.",
"title": "Loop with Unreachable Exit Condition (Infinite Loop)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
],
"uuid": "8ab0265a-d1a9-4085-a661-0d9d9931f0ad"
},
{
"affected_range": "\u003c0.3.3",
"affected_versions": "All versions before 0.3.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-835",
"CWE-937"
],
"date": "2021-05-18",
"description": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.",
"fixed_versions": [
"0.3.3"
],
"identifier": "CVE-2020-14040",
"identifiers": [
"GHSA-5rcv-m4m3-hfh7",
"CVE-2020-14040"
],
"not_impacted": "All versions starting from 0.3.3",
"package_slug": "go/golang.org/x/text/encoding/unicode",
"pubdate": "2021-05-18",
"solution": "Upgrade to version 0.3.3 or above.",
"title": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"https://github.com/golang/go/issues/39491",
"https://github.com/golang/text/commit/23ae387dee1f90d29a23c0e87ee0b46038fbed0e",
"https://github.com/advisories/GHSA-5rcv-m4m3-hfh7"
],
"uuid": "c90a0e0c-5518-452d-9d0d-2b4fda034e75"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.3.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14040"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-11-18T14:44Z",
"publishedDate": "2020-06-17T20:15Z"
}
}
}
RHSA-2020:3087
Vulnerability from csaf_redhat - Published: 2020-07-22 07:33 - Updated: 2026-05-04 21:01Summary
Red Hat Security Advisory: Red Hat OpenShift Jaeger 1.17.5 container images security update
Severity
Moderate
Notes
Topic: An update for jaeger-all-in-one-rhel7-container, jaeger-agent-rhel7-container, jaeger-collector-rhel7-container, jaeger-query-rhel7-container, jaeger-ingester-rhel7-container and jaeger-rhel7-operator-container is now available for Jaeger-1.17.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.
Security Fix(es):
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jaeger-all-in-one-rhel7-container, jaeger-agent-rhel7-container, jaeger-collector-rhel7-container, jaeger-query-rhel7-container, jaeger-ingester-rhel7-container and jaeger-rhel7-operator-container is now available for Jaeger-1.17.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Jaeger is Red Hat\u0027s distribution of the Jaeger project,\ntailored for installation into an on-premise OpenShift Container Platform\ninstallation.\n\nSecurity Fix(es):\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3087",
"url": "https://access.redhat.com/errata/RHSA-2020:3087"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "TRACING-1300",
"url": "https://issues.redhat.com/browse/TRACING-1300"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3087.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Jaeger 1.17.5 container images security update",
"tracking": {
"current_release_date": "2026-05-04T21:01:39+00:00",
"generator": {
"date": "2026-05-04T21:01:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2020:3087",
"initial_release_date": "2020-07-22T07:33:26+00:00",
"revision_history": [
{
"date": "2020-07-22T07:33:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-22T07:33:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T21:01:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Jaeger 1.17",
"product": {
"name": "Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jaeger:1.17::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Jaeger"
},
{
"branches": [
{
"category": "product_version",
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product": {
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product_id": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-agent-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product": {
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product_id": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-all-in-one-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product": {
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product_id": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-collector-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product": {
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product_id": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product": {
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product_id": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-query-rhel7\u0026tag=1.17.5-3"
}
}
},
{
"category": "product_version",
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product": {
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product_id": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428?arch=amd64\u0026repository_url=registry.redhat.io/distributed-tracing/jaeger-rhel7-operator\u0026tag=1.17.5-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64"
},
"product_reference": "distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64"
},
"product_reference": "distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64"
},
"product_reference": "distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64"
},
"product_reference": "distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64"
},
"product_reference": "distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64 as a component of Red Hat OpenShift Jaeger 1.17",
"product_id": "7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
},
"product_reference": "distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64",
"relates_to_product_reference": "7Server-RH7-JAEGER-1.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-22T07:33:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://docs.openshift.com/container-platform/4.4/jaeger/jaeger_install/rhbjaeger-updating.html",
"product_ids": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3087"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-agent-rhel7@sha256:6d6dfb8843465fedfaa5bc73d8b1ef0fe7d39f3e0bcb95508277ecc5bee56a15_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-all-in-one-rhel7@sha256:4fa3cf137dc82aea05cf970d795f6bedd213513a114b284339299eb008ad50ad_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-collector-rhel7@sha256:27be7095512eab0638ec5ec06670fd5404922884fc7bcbede92a320ab821ec09_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-ingester-rhel7@sha256:5cff6ba93d6e5a8f6853b7a5469be451383a193e85bb0505b74c94f6e50cacd9_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-query-rhel7@sha256:2a7f0915d6838ee858562a867fa57260df03704ee98b278839a731a42ace4db6_amd64",
"7Server-RH7-JAEGER-1.17:distributed-tracing/jaeger-rhel7-operator@sha256:730e0015fdeab7b9ede059a1c685e003aa33463319690375c91daa22f2830428_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
RHSA-2020:3369
Vulnerability from csaf_redhat - Published: 2020-08-06 20:19 - Updated: 2026-05-25 14:23Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update
Severity
Moderate
Notes
Topic: An update is now available for OpenShift Service Mesh 1.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
* jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* macaron: open redirect in the static handler (CVE-2020-12666)
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.
7.4 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
7.5 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in jQuery. HTML containing \<option\> elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.
6.1 (Medium)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler.
6.1 (Medium)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
23 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Service Mesh 1.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)\n\n* jQuery: passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n\n* macaron: open redirect in the static handler (CVE-2020-12666)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3369",
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "1850034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "1857412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3369.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh security update",
"tracking": {
"current_release_date": "2026-05-25T14:23:45+00:00",
"generator": {
"date": "2026-05-25T14:23:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2020:3369",
"initial_release_date": "2020-08-06T20:19:17+00:00",
"revision_history": [
{
"date": "2020-08-06T20:19:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-06T20:19:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-25T14:23:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Service Mesh 1.1",
"product": {
"name": "OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.1::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Service Mesh 1.1",
"product": {
"name": "Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "ior-0:1.1.6-1.el8.x86_64",
"product": {
"name": "ior-0:1.1.6-1.el8.x86_64",
"product_id": "ior-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-citadel@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-galley@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-istioctl@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-mixc@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-mixs@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-pilot-agent@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-pilot-discovery@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-sidecar-injector@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product_id": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product_id": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product": {
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product_id": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana-prometheus@6.4.3-13.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product": {
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product_id": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product": {
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product_id": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product_id": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ior-0:1.1.6-1.el8.src",
"product": {
"name": "ior-0:1.1.6-1.el8.src",
"product_id": "ior-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ior@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-0:1.1.6-1.el8.src",
"product": {
"name": "servicemesh-0:1.1.6-1.el8.src",
"product_id": "servicemesh-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product_id": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product_id": "servicemesh-grafana-0:6.4.3-13.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-grafana@6.4.3-13.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-cni-0:1.1.6-1.el8.src",
"product": {
"name": "servicemesh-cni-0:1.1.6-1.el8.src",
"product_id": "servicemesh-cni-0:1.1.6-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-cni@1.1.6-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "servicemesh-operator-0:1.1.6-2.el8.src",
"product": {
"name": "servicemesh-operator-0:1.1.6-2.el8.src",
"product_id": "servicemesh-operator-0:1.1.6-2.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/servicemesh-operator@1.1.6-2.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product_id": "kiali-0:v1.12.10.redhat2-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kiali@v1.12.10.redhat2-1.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.src as a component of Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src"
},
"product_reference": "kiali-0:v1.12.10.redhat2-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kiali-0:v1.12.10.redhat2-1.el7.x86_64 as a component of Red Hat OpenShift Service Mesh 1.1",
"product_id": "7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64"
},
"product_reference": "kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ior-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src"
},
"product_reference": "ior-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ior-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64"
},
"product_reference": "ior-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src"
},
"product_reference": "servicemesh-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-citadel-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-cni-0:1.1.6-1.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src"
},
"product_reference": "servicemesh-cni-0:1.1.6-1.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-cni-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-cni-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-galley-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-galley-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src"
},
"product_reference": "servicemesh-grafana-0:6.4.3-13.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64"
},
"product_reference": "servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64"
},
"product_reference": "servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-mixc-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-mixs-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-operator-0:1.1.6-2.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src"
},
"product_reference": "servicemesh-operator-0:1.1.6-2.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-operator-0:1.1.6-2.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64"
},
"product_reference": "servicemesh-operator-0:1.1.6-2.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.src as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src"
},
"product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.src",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64"
},
"product_reference": "servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64 as a component of OpenShift Service Mesh 1.1",
"product_id": "8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
},
"product_reference": "servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64",
"relates_to_product_reference": "8Base-OSSM-1.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8203",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-07-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1857412"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-lodash: prototype pollution in zipObjectDeep function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\n\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\n\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8203"
},
{
"category": "external",
"summary": "RHBZ#1857412",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8203",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/712065",
"url": "https://hackerone.com/reports/712065"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1523",
"url": "https://www.npmjs.com/advisories/1523"
}
],
"release_date": "2020-04-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-lodash: prototype pollution in zipObjectDeep function"
},
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2020-12666",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850034"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in macaron. Path URLs aren\u0027t cleaned before being redirected creating an open redirect in the static handler.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "macaron: open redirect in the static handler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue has a low impact on both OpenShift Container Platform and OpenShift Service Mesh grafana containers. As neither components make use of the Static handler the impact is Low. A future version of Grafana may use the Macaron Static handler so we may fix this in a future release.\n\nRed Hat Ceph Storage (RHCS) versions 3 and 4 use Grafana where the affected version of the macaron package is delivered. However the Static handler is not used by Ceph hence the impact by this vulnerability is Low. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12666"
},
{
"category": "external",
"summary": "RHBZ#1850034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850034"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12666",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12666"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12666"
}
],
"release_date": "2020-05-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "macaron: open redirect in the static handler"
},
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:19:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3369"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.src",
"7Server-RH7-RHOSSM-1.1:kiali-0:v1.12.10.redhat2-1.el7.x86_64",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:ior-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-citadel-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.src",
"8Base-OSSM-1.1:servicemesh-cni-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-galley-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.src",
"8Base-OSSM-1.1:servicemesh-grafana-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-grafana-prometheus-0:6.4.3-13.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-istioctl-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixc-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-mixs-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.src",
"8Base-OSSM-1.1:servicemesh-operator-0:1.1.6-2.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-agent-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-pilot-discovery-0:1.1.6-1.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.src",
"8Base-OSSM-1.1:servicemesh-prometheus-0:2.14.0-14.el8.x86_64",
"8Base-OSSM-1.1:servicemesh-sidecar-injector-0:1.1.6-1.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
RHSA-2020:3372
Vulnerability from csaf_redhat - Published: 2020-08-06 20:21 - Updated: 2026-05-15 02:04Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3scale-istio-adapter-rhel8-container security update
Severity
Moderate
Notes
Topic: An update for 3scale-istio-adapter-rhel8-container is now available for OpenShift Service Mesh.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for 3scale-istio-adapter-rhel8-container is now available for OpenShift Service Mesh.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3372",
"url": "https://access.redhat.com/errata/RHSA-2020:3372"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "MAISTRA-1716",
"url": "https://issues.redhat.com/browse/MAISTRA-1716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3372.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3scale-istio-adapter-rhel8-container security update",
"tracking": {
"current_release_date": "2026-05-15T02:04:26+00:00",
"generator": {
"date": "2026-05-15T02:04:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:3372",
"initial_release_date": "2020-08-06T20:21:37+00:00",
"revision_history": [
{
"date": "2020-08-06T20:21:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-06T20:21:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-15T02:04:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Service Mesh 1.0",
"product": {
"name": "OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_mesh:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Service Mesh"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64",
"product": {
"name": "openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64",
"product_id": "openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/3scale-istio-adapter-rhel8\u0026tag=1.0.0-8"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64 as a component of OpenShift Service Mesh 1.0",
"product_id": "8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
},
"product_reference": "openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64",
"relates_to_product_reference": "8Base-OSSM-1.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9283",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2020-02-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1804533"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requires connections to malicious SSH servers, with the maximum impact only a client crash. This vulnerability is rated Low for OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9283"
},
{
"category": "external",
"summary": "RHBZ#1804533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1804533"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
}
],
"release_date": "2020-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:21:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3372"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic"
},
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-06T20:21:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3372"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSSM-1.0:openshift-service-mesh/3scale-istio-adapter-rhel8@sha256:fcae2ea5da6d94016b2502f277b1a7fd3e29d0357fc727fcd61963026d22e607_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
RHSA-2020:3578
Vulnerability from csaf_redhat - Published: 2020-09-08 10:09 - Updated: 2026-05-04 21:01Summary
Red Hat Security Advisory: OpenShift Container Platform 4.5.8 security update
Severity
Moderate
Notes
Topic: An update for cluster-network-operator-container, cluster-version-operator-container, elasticsearch-operator-container, logging-kibana6-container, and ose-cluster-svcat-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.5.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Container Platform components are primarily written in Go (golang).
The golang.org/x/text contains text-related packages which are used for text operations, such as character encodings, text transformations, and locale-specific text handling.
Kibana is one of the major components of OpenShift Container Platform cluster logging.
It is a browser-based console interface to query, discover, and visualize the log data.
Security Fix(es):
* kibana: XSS in TSVB visualization (ESA-2020-08) (CVE-2020-7015)
* golang.org/x/text: Possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
5.4 (Medium)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64 | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le | — |
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x | — |
Workaround
|
Threats
Impact
Moderate
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x | — |
Vendor Fix
fix
|
Known not affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64 | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le | — | ||
| Unresolved product id: 7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x | — |
Threats
Impact
Moderate
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cluster-network-operator-container, cluster-version-operator-container, elasticsearch-operator-container, logging-kibana6-container, and ose-cluster-svcat-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Container Platform components are primarily written in Go (golang).\nThe golang.org/x/text contains text-related packages which are used for text operations, such as character encodings, text transformations, and locale-specific text handling.\n\nKibana is one of the major components of OpenShift Container Platform cluster logging.\nIt is a browser-based console interface to query, discover, and visualize the log data.\n\nSecurity Fix(es):\n\n* kibana: XSS in TSVB visualization (ESA-2020-08) (CVE-2020-7015)\n\n* golang.org/x/text: Possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3578",
"url": "https://access.redhat.com/errata/RHSA-2020:3578"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1849037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849037"
},
{
"category": "external",
"summary": "1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3578.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.5.8 security update",
"tracking": {
"current_release_date": "2026-05-04T21:01:43+00:00",
"generator": {
"date": "2026-05-04T21:01:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2020:3578",
"initial_release_date": "2020-09-08T10:09:31+00:00",
"revision_history": [
{
"date": "2020-09-08T10:09:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-09-08T10:09:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T21:01:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.5",
"product": {
"name": "Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"product": {
"name": "openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"product_id": "openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-network-operator\u0026tag=v4.5.0-202008210149.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"product": {
"name": "openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"product_id": "openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-version-operator\u0026tag=v4.5.0-202008280601.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"product": {
"name": "openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"product_id": "openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.5.0-202008310950.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"product": {
"name": "openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"product_id": "openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.5.0-202008310950.p0"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"product": {
"name": "openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"product_id": "openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-network-operator\u0026tag=v4.5.0-202008210149.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"product": {
"name": "openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"product_id": "openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-version-operator\u0026tag=v4.5.0-202008280601.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"product": {
"name": "openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"product_id": "openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.5.0-202008310950.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x",
"product": {
"name": "openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x",
"product_id": "openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.5.0-202008310950.p0"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"product": {
"name": "openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"product_id": "openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-network-operator\u0026tag=v4.5.0-202008210149.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"product": {
"name": "openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"product_id": "openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-version-operator\u0026tag=v4.5.0-202008280601.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"product": {
"name": "openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"product_id": "openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.5.0-202008310950.p0"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"product": {
"name": "openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"product_id": "openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-kibana6\u0026tag=v4.5.0-202008310950.p0"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le"
},
"product_reference": "openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64"
},
"product_reference": "openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x"
},
"product_reference": "openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64"
},
"product_reference": "openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le"
},
"product_reference": "openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x"
},
"product_reference": "openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le"
},
"product_reference": "openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x"
},
"product_reference": "openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64"
},
"product_reference": "openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64 as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64"
},
"product_reference": "openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le"
},
"product_reference": "openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x as a component of Red Hat OpenShift Container Platform 4.5",
"product_id": "7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
},
"product_reference": "openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7015",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1849037"
}
],
"notes": [
{
"category": "description",
"text": "Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kibana: XSS in TSVB visualization (ESA-2020-08)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7015"
},
{
"category": "external",
"summary": "RHBZ#1849037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7015",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7015"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7015",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7015"
},
{
"category": "external",
"summary": "https://discuss.elastic.co/t/elastic-stack-7-7-1-and-6-8-10-security-update/235573",
"url": "https://discuss.elastic.co/t/elastic-stack-7-7-1-and-6-8-10-security-update/235573"
}
],
"release_date": "2020-06-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-08T10:09:31+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for this release, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3578"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability you can set \"metrics.enabled: false\" in kibana.yml",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kibana: XSS in TSVB visualization (ESA-2020-08)"
},
{
"cve": "CVE-2020-14040",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853652"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* OpenShift ServiceMesh (OSSM) 1.0 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities. Jaeger was packaged with ServiceMesh in 1.0, and hence is also marked OOSS, but the Jaeger-Operator is a standalone product and is affected by this vulnerability.\n\n* Because Service Telemetry Framework does not directly use unicode.UTF16, no update will be provided at this time for STF\u0027s sg-core-container.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14040"
},
{
"category": "external",
"summary": "RHBZ#1853652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853652"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14040"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/39491",
"url": "https://github.com/golang/go/issues/39491"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0",
"url": "https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0"
}
],
"release_date": "2020-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-08T10:09:31+00:00",
"details": "For OpenShift Container Platform 4.5 see the following documentation, which\nwill be updated shortly for this release, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3578"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:084fd8364f530a54b7f8beba9d562a7f0bd8fed2dfe34f1d4cb35b1f32b6b30c_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:132c0a4112e13fae6abed900fd1d7c14d21b443bb39c21c67fa0223d323dc3f5_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-network-operator@sha256:9ec5a9ae1f08f0bc6fa1eb4516b5f64e7e89f3ef49589854f68ecc362b6c8cac_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:2692648061909c425f2133e958002a0ab8e2d2a89c5272e8c516651a4ae4e955_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:d852f36c75d997fb5ed8f4f6c1f7eeaaad492c62fd39dd33af73e00194fedf45_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-cluster-version-operator@sha256:ff5be8762429be98d424da42033a3cdc941ba969e0a6a9ec1027666c33538cfa_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7299422adec799d34c931a3e61fa7c64b830d0b63ca8071a2080ce408e74e271_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:7bb27b815f70cbc4e39741425e643bdb7bd0781bc3fec98eee1be78e5765804e_s390x",
"7Server-RH7-RHOSE-4.5:openshift4/ose-elasticsearch-operator@sha256:b6199dad19e9c05af81d4652d3927c263ec1e8853726632b703dbc9ee4cddfa4_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:0fd0bdf8433265a5da7b3d9f61cb5896d649c3e2966c77f79f02023ef0a43d20_amd64",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:651ec08a2be0652c9d7b709931876c2910a3c0b1881bdf75317fcaaa34af11e4_ppc64le",
"7Server-RH7-RHOSE-4.5:openshift4/ose-logging-kibana6@sha256:e22e477267031f697463351872ba50f86dce172d600fb208f91c44e1e136e397_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…