Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-16845 (GCVE-0-2020-16845)
Vulnerability from cvelistv5 – Published: 2020-08-06 17:03 – Updated: 2024-08-04 13:45
VLAI
EPSS
Summary
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
15 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:33.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q"
},
{
"name": "openSUSE-SU-2020:1178",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html"
},
{
"name": "openSUSE-SU-2020:1194",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html"
},
{
"name": "FEDORA-2020-e384830a0d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/"
},
{
"name": "FEDORA-2020-deff052e7a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
},
{
"name": "FEDORA-2020-b190375a37",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/"
},
{
"name": "openSUSE-SU-2020:1405",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html"
},
{
"name": "openSUSE-SU-2020:1407",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html"
},
{
"name": "DSA-4848",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200924-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T17:20:17.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q"
},
{
"name": "openSUSE-SU-2020:1178",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html"
},
{
"name": "openSUSE-SU-2020:1194",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html"
},
{
"name": "FEDORA-2020-e384830a0d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/"
},
{
"name": "FEDORA-2020-deff052e7a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/"
},
{
"name": "FEDORA-2020-a55f130272",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
},
{
"name": "FEDORA-2020-b190375a37",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/"
},
{
"name": "openSUSE-SU-2020:1405",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html"
},
{
"name": "openSUSE-SU-2020:1407",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html"
},
{
"name": "DSA-4848",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200924-0002/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/golang-announce/_ulYYcIWg3Q"
},
{
"name": "openSUSE-SU-2020:1178",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html"
},
{
"name": "openSUSE-SU-2020:1194",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html"
},
{
"name": "FEDORA-2020-e384830a0d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/"
},
{
"name": "FEDORA-2020-deff052e7a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/"
},
{
"name": "FEDORA-2020-a55f130272",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/"
},
{
"name": "FEDORA-2020-b190375a37",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/"
},
{
"name": "openSUSE-SU-2020:1405",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html"
},
{
"name": "openSUSE-SU-2020:1407",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2459-1] golang-1.7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html"
},
{
"name": "[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html"
},
{
"name": "DSA-4848",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200924-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200924-0002/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16845",
"datePublished": "2020-08-06T17:03:33.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:33.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-16845",
"date": "2026-05-31",
"epss": "0.00147",
"percentile": "0.349"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-16845\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-08-06T18:15:13.700\",\"lastModified\":\"2024-11-21T05:07:15.297\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.\"},{\"lang\":\"es\",\"value\":\"Go versiones anteriores a 1.13.15 y versiones 14.x anteriores a 1.14.7, puede presentar un bucle de lectura infinito en las funciones ReadUvarint y ReadVarint en encoding/binary por medio de entradas no v\u00e1lidas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.13.15\",\"matchCriteriaId\":\"C9F4422E-27A3-474D-A4AF-0BEE8AD7293C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.14\",\"versionEndExcluding\":\"1.14.7\",\"matchCriteriaId\":\"9A59FA2E-0F06-4EDF-9E8C-32D6F656EB54\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200924-0002/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4848\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200924-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4848\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
RHSA-2021:2122
Vulnerability from csaf_redhat - Published: 2021-06-01 04:12 - Updated: 2026-03-27 08:38Summary
Red Hat Security Advisory: OpenShift Container Platform 4.7.13 packages and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.7.13 is now available with updates to packages and images that fix several bugs.
This release includes a security update for Red Hat OpenShift Container Platform 4.7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2021:2121
Security Fix(es):
* jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2021-21642)
* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
* jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints. (CVE-2021-21643)
* jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. (CVE-2021-21644)
* jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints. (CVE-2021-21645)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
5.9 (Medium)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.
7.5 (High)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
8.1 (High)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the config-file-provider Jenkins plugin. The plugin does not correctly perform permission checks in several HTTP endpoints, as a consequence an attacker with global Job/Configure permission can enumerate system-scoped credentials IDs of credentials stored in Jenkins.
4.3 (Medium)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A cross-site request forgery (CSRF) vulnerability was found in the config-file-provider Jenkins plugin. The plugin does not require POST requests for an HTTP endpoint which allows attackers to delete configuration files corresponding to an attacker-specified ID.
6.3 (Medium)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the config-file-provider Jenkins plugin. The plugin does not perform permission checks in several HTTP endpoints, as a consequence an attacker with Overall/Read permission is allowed to enumerate configuration file IDs.
4.3 (Medium)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
38 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.7.13 is now available with updates to packages and images that fix several bugs.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2021:2121\n\nSecurity Fix(es):\n\n* jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2021-21642)\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\n* jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints. (CVE-2021-21643)\n\n* jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. (CVE-2021-21644)\n\n* jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints. (CVE-2021-21645)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:2122",
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "1952146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952146"
},
{
"category": "external",
"summary": "1952148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952148"
},
{
"category": "external",
"summary": "1952151",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952151"
},
{
"category": "external",
"summary": "1952152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952152"
},
{
"category": "external",
"summary": "1964770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964770"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2122.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.13 packages and security update",
"tracking": {
"current_release_date": "2026-03-27T08:38:55+00:00",
"generator": {
"date": "2026-03-27T08:38:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2021:2122",
"initial_release_date": "2021-06-01T04:12:55+00:00",
"revision_history": [
{
"date": "2021-06-01T04:12:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-06-01T04:12:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-27T08:38:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.7",
"product": {
"name": "Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.7::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.7",
"product": {
"name": "Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-release-coreos-0:47.83-2.el8.src",
"product": {
"name": "redhat-release-coreos-0:47.83-2.el8.src",
"product_id": "redhat-release-coreos-0:47.83-2.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-coreos@47.83-2.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.7.1621361158-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "cri-tools-0:1.20.0-3.el7.src",
"product": {
"name": "cri-tools-0:1.20.0-3.el7.src",
"product_id": "cri-tools-0:1.20.0-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-tools@1.20.0-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_id": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_id": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "redhat-release-coreos-0:47.83-2.el8.x86_64",
"product": {
"name": "redhat-release-coreos-0:47.83-2.el8.x86_64",
"product_id": "redhat-release-coreos-0:47.83-2.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-coreos@47.83-2.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product_id": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.2-12.rhaos4.7.git9f7be76.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-tools-0:1.20.0-3.el7.x86_64",
"product": {
"name": "cri-tools-0:1.20.0-3.el7.x86_64",
"product_id": "cri-tools-0:1.20.0-3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-tools@1.20.0-3.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"product": {
"name": "cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"product_id": "cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-tools-debuginfo@1.20.0-3.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_id": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_id": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "redhat-release-coreos-0:47.83-2.el8.ppc64le",
"product": {
"name": "redhat-release-coreos-0:47.83-2.el8.ppc64le",
"product_id": "redhat-release-coreos-0:47.83-2.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-coreos@47.83-2.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_id": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_id": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_id": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.20.2-12.rhaos4.7.git9f7be76.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "redhat-release-coreos-0:47.83-2.el8.s390x",
"product": {
"name": "redhat-release-coreos-0:47.83-2.el8.s390x",
"product_id": "redhat-release-coreos-0:47.83-2.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-coreos@47.83-2.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.7.1621361158-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-tools-0:1.20.0-3.el7.src as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src"
},
"product_reference": "cri-tools-0:1.20.0-3.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-tools-0:1.20.0-3.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64"
},
"product_reference": "cri-tools-0:1.20.0-3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-tools-debuginfo-0:1.20.0-3.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64"
},
"product_reference": "cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64"
},
"product_reference": "cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le"
},
"product_reference": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x"
},
"product_reference": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le"
},
"product_reference": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x"
},
"product_reference": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64"
},
"product_reference": "cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.7.1621361158-1.el8.src as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-coreos-0:47.83-2.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le"
},
"product_reference": "redhat-release-coreos-0:47.83-2.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-coreos-0:47.83-2.el8.s390x as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x"
},
"product_reference": "redhat-release-coreos-0:47.83-2.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-coreos-0:47.83-2.el8.src as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src"
},
"product_reference": "redhat-release-coreos-0:47.83-2.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-coreos-0:47.83-2.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.7",
"product_id": "8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
},
"product_reference": "redhat-release-coreos-0:47.83-2.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-15586",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2020-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856953"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found Go\u0027s net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP.\n\nSimilar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low.\n\nRed Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.\n\nRed Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-15586"
},
{
"category": "external",
"summary": "RHBZ#1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ",
"url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ"
}
],
"release_date": "2020-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS"
},
{
"cve": "CVE-2020-16845",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1867099"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low.\n\nRed Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4) components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-16845"
},
{
"category": "external",
"summary": "RHBZ#1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo",
"url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo"
}
],
"release_date": "2020-08-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs"
},
{
"cve": "CVE-2021-21642",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2021-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1952146"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn\u0027t configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21642"
},
{
"category": "external",
"summary": "RHBZ#1952146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952146"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21642"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204",
"url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"
}
],
"release_date": "2021-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks."
},
{
"cve": "CVE-2021-21643",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2021-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1952148"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the config-file-provider Jenkins plugin. The plugin does not correctly perform permission checks in several HTTP endpoints, as a consequence an attacker with global Job/Configure permission can enumerate system-scoped credentials IDs of credentials stored in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21643"
},
{
"category": "external",
"summary": "RHBZ#1952148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952148"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21643",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21643"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21643",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21643"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254",
"url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2254"
}
],
"release_date": "2021-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints."
},
{
"cve": "CVE-2021-21644",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2021-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1952151"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in the config-file-provider Jenkins plugin. The plugin does not require POST requests for an HTTP endpoint which allows attackers to delete configuration files corresponding to an attacker-specified ID.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21644"
},
{
"category": "external",
"summary": "RHBZ#1952151",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952151"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21644",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21644"
}
],
"release_date": "2021-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability."
},
{
"cve": "CVE-2021-21645",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2021-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1952152"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the config-file-provider Jenkins plugin. The plugin does not perform permission checks in several HTTP endpoints, as a consequence an attacker with Overall/Read permission is allowed to enumerate configuration file IDs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21645"
},
{
"category": "external",
"summary": "RHBZ#1952152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1952152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21645",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21645"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21645",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21645"
}
],
"release_date": "2021-04-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-06-01T04:12:55+00:00",
"details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html",
"product_ids": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2122"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.src",
"7Server-RH7-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.src",
"7Server-RH7-RHOSE-4.7:cri-tools-0:1.20.0-3.el7.x86_64",
"7Server-RH7-RHOSE-4.7:cri-tools-debuginfo-0:1.20.0-3.el7.x86_64",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.src",
"8Base-RHOSE-4.7:cri-o-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debuginfo-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.ppc64le",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.s390x",
"8Base-RHOSE-4.7:cri-o-debugsource-0:1.20.2-12.rhaos4.7.git9f7be76.el8.x86_64",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.noarch",
"8Base-RHOSE-4.7:jenkins-2-plugins-0:4.7.1621361158-1.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.ppc64le",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.s390x",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.src",
"8Base-RHOSE-4.7:redhat-release-coreos-0:47.83-2.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints."
}
]
}
RHSA-2021:4103
Vulnerability from csaf_redhat - Published: 2021-11-02 17:36 - Updated: 2026-03-27 08:39Summary
Red Hat Security Advisory: OpenShift Virtualization 4.9.0 RPMs security and bug fix update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Virtualization release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.9.0 RPMs.
Security Fix(es):
* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
5.9 (Medium)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.
7.5 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.
6.5 (Medium)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default.
5.9 (Medium)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Virtualization release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform. \n\nThis advisory contains OpenShift Virtualization 4.9.0 RPMs.\n\nSecurity Fix(es):\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\n* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)\n\n* golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4103",
"url": "https://access.redhat.com/errata/RHSA-2021:4103"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "1918750",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1918750"
},
{
"category": "external",
"summary": "1958341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1958341"
},
{
"category": "external",
"summary": "1981345",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981345"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4103.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Virtualization 4.9.0 RPMs security and bug fix update",
"tracking": {
"current_release_date": "2026-03-27T08:39:01+00:00",
"generator": {
"date": "2026-03-27T08:39:01+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2021:4103",
"initial_release_date": "2021-11-02T17:36:11+00:00",
"revision_history": [
{
"date": "2021-11-02T17:36:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-02T17:36:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-27T08:39:01+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CNV 4.9 for RHEL 7",
"product": {
"name": "CNV 4.9 for RHEL 7",
"product_id": "7Server-CNV-4.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:4.9::el7"
}
}
},
{
"category": "product_name",
"name": "CNV 4.9 for RHEL 8",
"product": {
"name": "CNV 4.9 for RHEL 8",
"product_id": "8Base-CNV-4.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:container_native_virtualization:4.9::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-0:4.9.0-287.el7.src",
"product": {
"name": "kubevirt-0:4.9.0-287.el7.src",
"product_id": "kubevirt-0:4.9.0-287.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@4.9.0-287.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "kubevirt-0:4.9.0-287.el8.src",
"product": {
"name": "kubevirt-0:4.9.0-287.el8.src",
"product_id": "kubevirt-0:4.9.0-287.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt@4.9.0-287.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"product_id": "kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@4.9.0-287.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@4.9.0-287.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"product_id": "kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl@4.9.0-287.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64",
"product": {
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64",
"product_id": "kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kubevirt-virtctl-redistributable@4.9.0-287.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:4.9.0-287.el7.src as a component of CNV 4.9 for RHEL 7",
"product_id": "7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src"
},
"product_reference": "kubevirt-0:4.9.0-287.el7.src",
"relates_to_product_reference": "7Server-CNV-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:4.9.0-287.el7.x86_64 as a component of CNV 4.9 for RHEL 7",
"product_id": "7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64 as a component of CNV 4.9 for RHEL 7",
"product_id": "7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"relates_to_product_reference": "7Server-CNV-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-0:4.9.0-287.el8.src as a component of CNV 4.9 for RHEL 8",
"product_id": "8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src"
},
"product_reference": "kubevirt-0:4.9.0-287.el8.src",
"relates_to_product_reference": "8Base-CNV-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-0:4.9.0-287.el8.x86_64 as a component of CNV 4.9 for RHEL 8",
"product_id": "8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64 as a component of CNV 4.9 for RHEL 8",
"product_id": "8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
},
"product_reference": "kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64",
"relates_to_product_reference": "8Base-CNV-4.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-15586",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2020-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856953"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found Go\u0027s net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP.\n\nSimilar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low.\n\nRed Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.\n\nRed Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-15586"
},
{
"category": "external",
"summary": "RHBZ#1856953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15586"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ",
"url": "https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ"
}
],
"release_date": "2020-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-02T17:36:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4103"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: data race in certain net/http servers including ReverseProxy can lead to DoS"
},
{
"cve": "CVE-2020-16845",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2020-08-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1867099"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go encoding/binary package. Certain invalid inputs to the ReadUvarint or the ReadVarint causes those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This flaw possibly leads to processing more input than expected. The highest threat from this vulnerability is to system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization components are primarily written in Go, meaning that any component using the encoding/binary package includes the vulnerable code. The affected components are behind OpenShift OAuth authentication, therefore the impact is low.\n\nRed Hat Gluster Storage 3, Red Hat OpenShift Container Storage 4 and Red Hat Ceph Storage (3 and 4) components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-16845"
},
{
"category": "external",
"summary": "RHBZ#1867099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867099"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo",
"url": "https://groups.google.com/g/golang-announce/c/NyPIaucMgXo"
}
],
"release_date": "2020-08-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-02T17:36:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4103"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs"
},
{
"cve": "CVE-2021-3114",
"cwe": {
"id": "CWE-682",
"name": "Incorrect Calculation"
},
"discovery_date": "2021-01-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1918750"
}
],
"notes": [
{
"category": "description",
"text": "A flaw detected in golang: crypto/elliptic, in which P-224 keys as generated can return incorrect inputs, reducing the strength of the cryptography. The highest threat from this vulnerability is confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/elliptic: incorrect operations on the P-224 curve",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3114"
},
{
"category": "external",
"summary": "RHBZ#1918750",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1918750"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3114",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3114"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3114",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3114"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/mperVMGa98w",
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
}
],
"release_date": "2021-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-02T17:36:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4103"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/elliptic: incorrect operations on the P-224 curve"
},
{
"cve": "CVE-2021-31525",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2021-05-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1958341"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenShift Container Platform (OCP), OpenShift Virtualization, OpenShift ServiceMesh (OSSM) and OpenShift distributed tracing (formerly OpenShift Jaeger), no server side component allows HTTP header values larger than 1 MB (the default), preventing this vulnerability from being exploited by malicious clients. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n* OpenShift Container Platform\n* OpenShift Virtualization \n* OpenShift ServiceMesh\n* OpenShift distributed tracing components.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-31525"
},
{
"category": "external",
"summary": "RHBZ#1958341",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1958341"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc",
"url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc"
}
],
"release_date": "2021-04-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-02T17:36:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4103"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-CNV-4.9:kubevirt-0:4.9.0-287.el7.src",
"7Server-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el7.x86_64",
"7Server-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el7.x86_64",
"8Base-CNV-4.9:kubevirt-0:4.9.0-287.el8.src",
"8Base-CNV-4.9:kubevirt-virtctl-0:4.9.0-287.el8.x86_64",
"8Base-CNV-4.9:kubevirt-virtctl-redistributable-0:4.9.0-287.el8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header"
}
]
}
SUSE-SU-2020:2562-1
Vulnerability from csaf_suse - Published: 2020-09-07 15:10 - Updated: 2020-09-07 15:10Summary
Security update for go1.14
Severity
Important
Notes
Title of the patch: Security update for go1.14
Description of the patch: This update for go1.14 fixes the following issues:
- go1.14 was updated to version 1.14.7
- CVE-2020-16845: dUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (bsc#1174977).
- go1.14.6 (released 2020-07-16) includes fixes to the go command,
the compiler, the linker, vet, and the database/sql,
encoding/json, net/http, reflect, and testing packages.
Refs bsc#1164903 go1.14 release tracking
Refs bsc#1174153 bsc#1174191
* go#39991 runtime: missing deferreturn on linux/ppc64le
* go#39920 net/http: panic on misformed If-None-Match Header with http.ServeContent
* go#39849 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes
* go#39824 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15
* go#39698 reflect: panic from malloc after MakeFunc function returns value that is also stored globally
* go#39636 reflect: DeepEqual can return true for values that are not equal
* go#39585 encoding/json: incorrect object key unmarshaling when using custom TextUnmarshaler as Key with string va
lues
* go#39562 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it trie
s to use an older version of dlv which only supports linux/amd64
* go#39308 testing: streaming output loses parallel subtest associations
* go#39288 cmd/vet: update for new number formats
* go#39101 database/sql: context cancellation allows statements to execute after rollback
* go#38030 doc: BuildNameToCertificate deprecated in go 1.14 not mentioned in the release notes
* go#40212 net/http: Expect 100-continue panics in httputil.ReverseProxy bsc#1174153 CVE-2020-15586
* go#40210 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows bsc#1174191 CVE-2020-14039 (Windows only)
- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is
not present bsc#1172868 gh#golang/go#35305
Patchnames: SUSE-2020-2562,SUSE-SLE-Module-Development-Tools-15-SP1-2020-2562,SUSE-SLE-Module-Development-Tools-15-SP2-2020-2562
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for go1.14",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for go1.14 fixes the following issues:\n\n- go1.14 was updated to version 1.14.7 \n- CVE-2020-16845: dUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (bsc#1174977).\t \n\n- go1.14.6 (released 2020-07-16) includes fixes to the go command,\n the compiler, the linker, vet, and the database/sql,\n encoding/json, net/http, reflect, and testing packages.\n Refs bsc#1164903 go1.14 release tracking\n Refs bsc#1174153 bsc#1174191\n * go#39991 runtime: missing deferreturn on linux/ppc64le\n * go#39920 net/http: panic on misformed If-None-Match Header with http.ServeContent\n * go#39849 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes\n * go#39824 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15\n * go#39698 reflect: panic from malloc after MakeFunc function returns value that is also stored globally\n * go#39636 reflect: DeepEqual can return true for values that are not equal\n * go#39585 encoding/json: incorrect object key unmarshaling when using custom TextUnmarshaler as Key with string va\nlues\n * go#39562 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it trie\ns to use an older version of dlv which only supports linux/amd64\n * go#39308 testing: streaming output loses parallel subtest associations\n * go#39288 cmd/vet: update for new number formats\n * go#39101 database/sql: context cancellation allows statements to execute after rollback\n * go#38030 doc: BuildNameToCertificate deprecated in go 1.14 not mentioned in the release notes\n * go#40212 net/http: Expect 100-continue panics in httputil.ReverseProxy bsc#1174153 CVE-2020-15586\n * go#40210 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows bsc#1174191 CVE-2020-14039 (Windows only)\n- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is\n not present bsc#1172868 gh#golang/go#35305\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2020-2562,SUSE-SLE-Module-Development-Tools-15-SP1-2020-2562,SUSE-SLE-Module-Development-Tools-15-SP2-2020-2562",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_2562-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2020:2562-1",
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-20202562-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2020:2562-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-September/007377.html"
},
{
"category": "self",
"summary": "SUSE Bug 1164903",
"url": "https://bugzilla.suse.com/1164903"
},
{
"category": "self",
"summary": "SUSE Bug 1169832",
"url": "https://bugzilla.suse.com/1169832"
},
{
"category": "self",
"summary": "SUSE Bug 1170826",
"url": "https://bugzilla.suse.com/1170826"
},
{
"category": "self",
"summary": "SUSE Bug 1172868",
"url": "https://bugzilla.suse.com/1172868"
},
{
"category": "self",
"summary": "SUSE Bug 1174153",
"url": "https://bugzilla.suse.com/1174153"
},
{
"category": "self",
"summary": "SUSE Bug 1174191",
"url": "https://bugzilla.suse.com/1174191"
},
{
"category": "self",
"summary": "SUSE Bug 1174977",
"url": "https://bugzilla.suse.com/1174977"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14039 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14039/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15586 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15586/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-16845 page",
"url": "https://www.suse.com/security/cve/CVE-2020-16845/"
}
],
"title": "Security update for go1.14",
"tracking": {
"current_release_date": "2020-09-07T15:10:08Z",
"generator": {
"date": "2020-09-07T15:10:08Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2020:2562-1",
"initial_release_date": "2020-09-07T15:10:08Z",
"revision_history": [
{
"date": "2020-09-07T15:10:08Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "go1.14-1.14.7-1.15.1.aarch64",
"product": {
"name": "go1.14-1.14.7-1.15.1.aarch64",
"product_id": "go1.14-1.14.7-1.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.14-doc-1.14.7-1.15.1.aarch64",
"product": {
"name": "go1.14-doc-1.14.7-1.15.1.aarch64",
"product_id": "go1.14-doc-1.14.7-1.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "go1.14-race-1.14.7-1.15.1.aarch64",
"product": {
"name": "go1.14-race-1.14.7-1.15.1.aarch64",
"product_id": "go1.14-race-1.14.7-1.15.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.14-1.14.7-1.15.1.i586",
"product": {
"name": "go1.14-1.14.7-1.15.1.i586",
"product_id": "go1.14-1.14.7-1.15.1.i586"
}
},
{
"category": "product_version",
"name": "go1.14-doc-1.14.7-1.15.1.i586",
"product": {
"name": "go1.14-doc-1.14.7-1.15.1.i586",
"product_id": "go1.14-doc-1.14.7-1.15.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.14-1.14.7-1.15.1.ppc64le",
"product": {
"name": "go1.14-1.14.7-1.15.1.ppc64le",
"product_id": "go1.14-1.14.7-1.15.1.ppc64le"
}
},
{
"category": "product_version",
"name": "go1.14-doc-1.14.7-1.15.1.ppc64le",
"product": {
"name": "go1.14-doc-1.14.7-1.15.1.ppc64le",
"product_id": "go1.14-doc-1.14.7-1.15.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.14-1.14.7-1.15.1.s390x",
"product": {
"name": "go1.14-1.14.7-1.15.1.s390x",
"product_id": "go1.14-1.14.7-1.15.1.s390x"
}
},
{
"category": "product_version",
"name": "go1.14-doc-1.14.7-1.15.1.s390x",
"product": {
"name": "go1.14-doc-1.14.7-1.15.1.s390x",
"product_id": "go1.14-doc-1.14.7-1.15.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go1.14-1.14.7-1.15.1.x86_64",
"product": {
"name": "go1.14-1.14.7-1.15.1.x86_64",
"product_id": "go1.14-1.14.7-1.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.14-doc-1.14.7-1.15.1.x86_64",
"product": {
"name": "go1.14-doc-1.14.7-1.15.1.x86_64",
"product_id": "go1.14-doc-1.14.7-1.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "go1.14-race-1.14.7-1.15.1.x86_64",
"product": {
"name": "go1.14-race-1.14.7-1.15.1.x86_64",
"product_id": "go1.14-race-1.14.7-1.15.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64"
},
"product_reference": "go1.14-1.14.7-1.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le"
},
"product_reference": "go1.14-1.14.7-1.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x"
},
"product_reference": "go1.14-1.14.7-1.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64"
},
"product_reference": "go1.14-1.14.7-1.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64"
},
"product_reference": "go1.14-1.14.7-1.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le"
},
"product_reference": "go1.14-1.14.7-1.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x"
},
"product_reference": "go1.14-1.14.7-1.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-1.14.7-1.15.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64"
},
"product_reference": "go1.14-1.14.7-1.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go1.14-doc-1.14.7-1.15.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP2",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
},
"product_reference": "go1.14-doc-1.14.7-1.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14039",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14039"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14039",
"url": "https://www.suse.com/security/cve/CVE-2020-14039"
},
{
"category": "external",
"summary": "SUSE Bug 1174191 for CVE-2020-14039",
"url": "https://bugzilla.suse.com/1174191"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-09-07T15:10:08Z",
"details": "moderate"
}
],
"title": "CVE-2020-14039"
},
{
"cve": "CVE-2020-15586",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15586"
}
],
"notes": [
{
"category": "general",
"text": "Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15586",
"url": "https://www.suse.com/security/cve/CVE-2020-15586"
},
{
"category": "external",
"summary": "SUSE Bug 1174153 for CVE-2020-15586",
"url": "https://bugzilla.suse.com/1174153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-09-07T15:10:08Z",
"details": "important"
}
],
"title": "CVE-2020-15586"
},
{
"cve": "CVE-2020-16845",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-16845"
}
],
"notes": [
{
"category": "general",
"text": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-16845",
"url": "https://www.suse.com/security/cve/CVE-2020-16845"
},
{
"category": "external",
"summary": "SUSE Bug 1174977 for CVE-2020-16845",
"url": "https://bugzilla.suse.com/1174977"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP1:go1.14-doc-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.7-1.15.1.x86_64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.7-1.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-09-07T15:10:08Z",
"details": "moderate"
}
],
"title": "CVE-2020-16845"
}
]
}
WID-SEC-W-2023-1599
Vulnerability from csaf_certbund - Published: 2021-01-13 23:00 - Updated: 2023-06-29 22:00Summary
IBM Security Guardium: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: IBM Security Guardium ist eine Lösung für die Überwachung und Auditierung des Datenzugriffs.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Security Guardium ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme: - Linux
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
IBM DB2
IBM
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM Security Guardium Insights 2.0.2
IBM
|
cpe:/a:ibm:security_guardium:10.0
|
— |
References
7 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM Security Guardium ist eine L\u00f6sung f\u00fcr die \u00dcberwachung und Auditierung des Datenzugriffs.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Security Guardium ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1599 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2023-1599.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1599 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1599"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7008449 vom 2023-06-29",
"url": "https://www.ibm.com/support/pages/node/7008449"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6403463 vom 2021-01-13",
"url": "https://www.ibm.com/support/pages/node/6403463"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0521 vom 2021-02-15",
"url": "https://access.redhat.com/errata/RHSA-2021:0521"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0548 vom 2021-02-16",
"url": "https://access.redhat.com/errata/RHSA-2021:0548"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-4758-1 vom 2021-03-09",
"url": "https://ubuntu.com/security/notices/USN-4758-1"
}
],
"source_lang": "en-US",
"title": "IBM Security Guardium: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-06-29T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:53:55.140+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1599",
"initial_release_date": "2021-01-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2021-01-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2021-02-15T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-02-16T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-03-08T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2023-06-29T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM DB2",
"product": {
"name": "IBM DB2",
"product_id": "5104",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:-"
}
}
},
{
"category": "product_name",
"name": "IBM Security Guardium Insights 2.0.2",
"product": {
"name": "IBM Security Guardium Insights 2.0.2",
"product_id": "316562",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_guardium:10.0"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14039",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-14039"
},
{
"cve": "CVE-2020-14145",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-14145"
},
{
"cve": "CVE-2020-15168",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-15168"
},
{
"cve": "CVE-2020-15586",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-15586"
},
{
"cve": "CVE-2020-15778",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-15778"
},
{
"cve": "CVE-2020-16845",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-16845"
},
{
"cve": "CVE-2020-24553",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-24553"
},
{
"cve": "CVE-2020-4166",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4166"
},
{
"cve": "CVE-2020-4594",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4594"
},
{
"cve": "CVE-2020-4595",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4595"
},
{
"cve": "CVE-2020-4596",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4596"
},
{
"cve": "CVE-2020-4597",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4597"
},
{
"cve": "CVE-2020-4599",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4599"
},
{
"cve": "CVE-2020-4600",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4600"
},
{
"cve": "CVE-2020-4602",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4602"
},
{
"cve": "CVE-2020-4604",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-4604"
},
{
"cve": "CVE-2020-7608",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-7608"
},
{
"cve": "CVE-2020-8244",
"notes": [
{
"category": "description",
"text": "In IBM Security Guardium existieren mehrere Schwachstellen. Die Schwachstellen sind einerseits in verschiedenen Komponenten des Produktes vorhanden sowie im Produkt selbst. Ein entfernter, anonymer oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Angriff zu verursachen."
}
],
"product_status": {
"known_affected": [
"67646",
"T000126",
"5104",
"316562"
]
},
"release_date": "2021-01-13T23:00:00.000+00:00",
"title": "CVE-2020-8244"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…