Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-23383 (GCVE-0-2021-23383)
Vulnerability from cvelistv5 – Published: 2021-05-04 08:35 – Updated: 2024-09-16 19:15
VLAI
EPSS
Title
Prototype Pollution
Summary
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Severity
CWE
- Prototype Pollution
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/handlebars-lang/handlebars.js/… | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032 | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021061… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | handlebars |
Affected:
unspecified , < 4.7.7
(custom)
|
Date Public
2021-05-04 00:00
Credits
Francois Lajeunesse-Robert
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210618-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "handlebars",
"vendor": "n/a",
"versions": [
{
"lessThan": "4.7.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Francois Lajeunesse-Robert"
}
],
"datePublic": "2021-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-18T09:06:21.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210618-0007/"
}
],
"title": "Prototype Pollution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-05-04T08:32:26.698346Z",
"ID": "CVE-2021-23383",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "handlebars",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.7.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Francois Lajeunesse-Robert"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427",
"refsource": "MISC",
"url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210618-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210618-0007/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23383",
"datePublished": "2021-05-04T08:35:21.209Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:15:14.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-23383",
"date": "2026-05-27",
"epss": "0.05666",
"percentile": "0.9049"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-23383\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2021-05-04T09:15:07.753\",\"lastModified\":\"2024-11-21T05:51:36.913\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.\"},{\"lang\":\"es\",\"value\":\"El package handlebars versiones anteriores a 4.7.7, son vulnerables a una Contaminaci\u00f3n de Prototipos al seleccionar determinadas opciones de compilaci\u00f3n para agrupar plantillas que provienen de una fuente no confiable\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.7.7\",\"matchCriteriaId\":\"D57084A5-784A-4392-AF0D-6EB14CF4B573\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"24B8DB06-590A-4008-B0AB-FCD1401C77C6\"}]}]}],\"references\":[{\"url\":\"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210618-0007/\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210618-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2021:4628
Vulnerability from csaf_redhat - Published: 2021-11-17 02:22 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: Openshift Logging 5.1.4 bug fix and security update
Severity
Low
Notes
Topic: An update is now available for OpenShift Logging 5.1.4.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Openshift Logging Bug Fix Release (5.1.4)
Security Fix(es):
* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)
* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x | — |
Vendor Fix
fix
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le | — |
Threats
Impact
Low
A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x | — |
Vendor Fix
fix
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le | — |
Threats
Impact
Low
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Logging 5.1.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Openshift Logging Bug Fix Release (5.1.4)\n\nSecurity Fix(es):\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4628",
"url": "https://access.redhat.com/errata/RHSA-2021:4628"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "1948761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761"
},
{
"category": "external",
"summary": "1956688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688"
},
{
"category": "external",
"summary": "LOG-1858",
"url": "https://issues.redhat.com/browse/LOG-1858"
},
{
"category": "external",
"summary": "LOG-1917",
"url": "https://issues.redhat.com/browse/LOG-1917"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4628.json"
}
],
"title": "Red Hat Security Advisory: Openshift Logging 5.1.4 bug fix and security update",
"tracking": {
"current_release_date": "2026-05-14T22:31:36+00:00",
"generator": {
"date": "2026-05-14T22:31:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:4628",
"initial_release_date": "2021-11-17T02:22:53+00:00",
"revision_history": [
{
"date": "2021-11-17T02:22:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-17T02:22:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Logging 5.1",
"product": {
"name": "OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:logging:5.1::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.4-1"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.4-2"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-41"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"product_id": "openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x",
"product_id": "openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-48"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.4-1"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"product": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.1.4-8"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.4-2"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"product": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.1.4-9"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-41"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"product_id": "openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"product_id": "openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-48"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.4-1"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.4-2"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-41"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"product_id": "openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-39"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"product_id": "openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-48"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64"
},
"product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64"
},
"product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23369",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948761"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. \nThe openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.\n\nIn OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"strict\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.\n\nIn Red Hat Virtualization ovirt-engine-ui-extensions and ovirt-web-ui Handlebars.js is included as a dependency of conventional-changelog-writer, it does not impact production code and as such has been given a low impact rating and set to wontfix. Handlebars.js may be updated to a newer version in future updates.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23369"
},
{
"category": "external",
"summary": "RHBZ#1948761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23369",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23369"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T02:22:53+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option"
},
{
"cve": "CVE-2021-23383",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1956688"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component which includes Handlebars.js. Starting in 4.6, kibana is shipping as \"container first\" content. As such, the fix for OCP will be seen in the affected products table under openshift4/ose-logging-kibana6. The separate package \"kibana\" listed under \"OpenShift Container Platform 4\" is only used by 4.5 and earlier and will not be fixed.\n\nIn OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"compat\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23383"
},
{
"category": "external",
"summary": "RHBZ#1956688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23383",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23383"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-11-17T02:22:53+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:8501f1121df861950d13535f20063c942ab3a880102aecef7bf93cfa2954a506_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:520d4aff85af992db19855a00adfc9328fff3c3ca79836f60fdaffc209a36089_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:5c8ab23b7f2a15d1433256fe6680c13b34dd4e123ce55bbceb5da2e0947098b0_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ef2775e5c9c3d26d98221c679d55f8f07d0331803ab3ba53d51a1f64b71198e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:ffac4aab09e1567ed8d25d8a401032a88538a23693390d74f404a6c46ca437ab_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:48d73be0d01a4913ec69b06b04ca330adaa09d6268c2bbfc5938a7d4995aeb66_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a66bf8844b65eda728b562994f22df5c29072b0a21dbd75a6cd259b1fb9f5ffe_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:f398a1bdd3fa678aa98a35d180005ba661f2a8ce4f17f4fe30415c284082b5b5_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0655e77f05d362b0436c3f0fea41cec77ef6928291444d65e00a911c05a26063_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:815c7c0278017d894f3a059eb7ca721739229c37e8777e7e127bdf27fa471bba_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:d1bea109ca85e381f015e18f1ee6ee4eb5f7b8876903663aded66e581bfa7dda_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0b340bdd57d7a254db0b9bd875bae50619af6faf3686885a30720d0db57ac3e8_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:1f0bb97a4a23cdecc4bb887f26d362184d35a9add55844974c8f577155a62d6a_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:b4e2e17de6d611f358c671bd16b768c7961675d125a693b518861cb1ac72e942_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:3f9d0b9723a2e8071433a8fb7feb2000108702229a4281b26a02b5a2e45da7b7_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:7177e4f15fff74e74005daa12410a9481e8e98021185391dab20b1d4af294f59_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:82f2130357fd0b161f5df871aac0bfa5ac51a62f5161727ffb13e0a56c20bf93_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:39e9bfd8e3986e1eb909538d9d6ba3a9b5fd34c0d5b38ce43a437625a2a5c339_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:7cbade1bc717c611aead08262449649b39f3a296274fbe77cfc40e4e2d7c41f8_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:d6e5fd11b5846fe352b62d589413503f54f55689abd2118968aebe9eea7fc6e9_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:07419114c8a894f9561e639a9af036ba57b808c20d8d5e04ffc4533e29a592c2_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:8af2047ad56faf9b704e54f93d7cca61bae34ace6946435ff6d82a5fe90a0884_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:df544a9f4d3b4ee72aa1f83479088d094fb85b6ebfa0f4cb0329b29f2a794900_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option"
}
]
}
RHSA-2023:1334
Vulnerability from csaf_redhat - Published: 2023-03-20 09:15 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.2 security update
Severity
Critical
Notes
Topic: An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)
* handlebars: nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* handlebars: nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)
* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)
* rhpam-7-businesscentral-rhel8-container: maven: Block repositories using http by default (CVE-2021-26291)
* unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class (CVE-2018-1000134)
* handlebars: nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads (CVE-2019-19919)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this vulnerability is to confidentiality and integrity.
4.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.1 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
49 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)\n\n* handlebars: nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)\n\n* handlebars: nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)\n\n* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)\n\n* handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)\n\n* rhpam-7-businesscentral-rhel8-container: maven: Block repositories using http by default (CVE-2021-26291)\n\n* unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class (CVE-2018-1000134)\n\n* handlebars: nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads (CVE-2019-19919)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1334",
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "1501529",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501529"
},
{
"category": "external",
"summary": "1557531",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531"
},
{
"category": "external",
"summary": "1789959",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959"
},
{
"category": "external",
"summary": "1882256",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256"
},
{
"category": "external",
"summary": "1882260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260"
},
{
"category": "external",
"summary": "1948761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761"
},
{
"category": "external",
"summary": "1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "1956688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1334.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.2 security update",
"tracking": {
"current_release_date": "2026-05-14T22:32:55+00:00",
"generator": {
"date": "2026-05-14T22:32:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2023:1334",
"initial_release_date": "2023-03-20T09:15:52+00:00",
"revision_history": [
{
"date": "2023-03-20T09:15:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-20T09:15:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.1 async",
"product": {
"name": "RHPAM 7.13.1 async",
"product_id": "RHPAM 7.13.1 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-12629",
"cwe": {
"id": "CWE-138",
"name": "Improper Neutralization of Special Elements"
},
"discovery_date": "2017-10-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1501529"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr\u0027s Config API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Solr: Code execution via entity expansion",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue.\nRed Hat JBoss Enterprise Application Platform 6\nRed Hat JBoss BPM Suite\nRed Hat JBoss BRMS\nRed Hat Enterprise Virtualization Manager\nRed Hat Single Sign-On 7\nRed Hat JBoss Portal Platform 6\n\nRed Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release.\n\nRed Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided.\n\nThe following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products:\nRed Hat JBoss Data Grid 7 \nRed Hat Enterprise Linux 6\nRed Hat Software Collections 2.4\n\nThis issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5.\n\nThis issue does not affect Elasticsearch as shipped in OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-12629"
},
{
"category": "external",
"summary": "RHBZ#1501529",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501529"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-12629",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12629"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-12629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12629"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/CVE-2017-12629",
"url": "https://access.redhat.com/security/vulnerabilities/CVE-2017-12629"
}
],
"release_date": "2017-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
},
{
"category": "workaround",
"details": "Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter `-Ddisable.configEdit=true`. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config.\n\nThis is sufficient to protect from this type of attack, but means you cannot use the edit capabilities of the Config API until further fixes are in place.",
"product_ids": [
"RHPAM 7.13.1 async"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Solr: Code execution via entity expansion"
},
{
"cve": "CVE-2018-1000134",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2018-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1557531"
}
],
"notes": [
{
"category": "description",
"text": "UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn\u0027t check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Virtualization does not use the UnboundID SDK in synchronous mode, and hence does not expose this vulnerability in its default configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-1000134"
},
{
"category": "external",
"summary": "RHBZ#1557531",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000134",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000134"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134"
},
{
"category": "external",
"summary": "https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/",
"url": "https://nawilson.com/2018/03/19/cve-2018-1000134-and-the-unboundid-ldap-sdk-for-java/"
}
],
"release_date": "2018-03-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class"
},
{
"cve": "CVE-2019-19919",
"cwe": {
"id": "CWE-471",
"name": "Modification of Assumed-Immutable Data (MAID)"
},
"discovery_date": "2020-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1789959"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object\u0027s __proto__ and __defineGetter__ properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so it has been given a low impact rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-19919"
},
{
"category": "external",
"summary": "RHBZ#1789959",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-19919",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19919"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919"
}
],
"release_date": "2019-09-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads"
},
{
"cve": "CVE-2019-20920",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-09-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1882260"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to run arbitrary code in a server processing Handlebars templates or on a victim\u0027s browser (effectively serving as Cross-Site Scripting). The highest threat from this vulnerability is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and is not affected by this flaw. In ovirt-web-ui, Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-20920"
},
{
"category": "external",
"summary": "RHBZ#1882260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-20920",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1316",
"url": "https://www.npmjs.com/advisories/1316"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1324",
"url": "https://www.npmjs.com/advisories/1324"
}
],
"release_date": "2019-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution"
},
{
"cve": "CVE-2019-20922",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2020-09-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1882256"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package\u0027s parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat Virtualization includes Handlebars.js in two components. In ovirt-engine-ui-extentions, the version used is newer and not affected by this flaw. In the ovirt-web-ui,Handlebars.js is included as a development dependency and is not used at runtime to process templates, so it has been given a low impact rating.\n\nRed Hat OpenShift Container Platform (OCP) 4 delivers the kibana package, which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code. The vulnerable version of Handlebars.js is also included in openshift4/ose-grafana, but as the Grafana instance is in read-only mode, the configuration/dashboards cannot be modified.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-20922"
},
{
"category": "external",
"summary": "RHBZ#1882256",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-20922",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20922"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922"
},
{
"category": "external",
"summary": "https://www.npmjs.com/advisories/1300",
"url": "https://www.npmjs.com/advisories/1300"
}
],
"release_date": "2019-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS"
},
{
"cve": "CVE-2021-23369",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948761"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. \nThe openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.\n\nIn OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"strict\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.\n\nIn Red Hat Virtualization ovirt-engine-ui-extensions and ovirt-web-ui Handlebars.js is included as a dependency of conventional-changelog-writer, it does not impact production code and as such has been given a low impact rating and set to wontfix. Handlebars.js may be updated to a newer version in future updates.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23369"
},
{
"category": "external",
"summary": "RHBZ#1948761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23369",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23369"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option"
},
{
"cve": "CVE-2021-23383",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1956688"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component which includes Handlebars.js. Starting in 4.6, kibana is shipping as \"container first\" content. As such, the fix for OCP will be seen in the affected products table under openshift4/ose-logging-kibana6. The separate package \"kibana\" listed under \"OpenShift Container Platform 4\" is only used by 4.5 and earlier and will not be fixed.\n\nIn OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.\n\nRed Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.\n\nRed Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use \"compat\" option and templates from external sources, hence this issue has been rated as having a security impact of Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-23383"
},
{
"category": "external",
"summary": "RHBZ#1956688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-23383",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23383"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option"
},
{
"cve": "CVE-2021-26291",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1955739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in maven. Repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven: Block repositories using http by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.1 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-26291"
},
{
"category": "external",
"summary": "RHBZ#1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-26291",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26291"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291"
},
{
"category": "external",
"summary": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291",
"url": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291"
}
],
"release_date": "2021-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-20T09:15:52+00:00",
"details": "For on-premise installations, before applying the update, back up your existing installation including all applications, configuration files, databases and database settings, and so on.\n\nRed Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link. You must log in to download the update.",
"product_ids": [
"RHPAM 7.13.1 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1334"
},
{
"category": "workaround",
"details": "To avoid possible man-in-the-middle related attacks with this flaw, ensure any linked repositories in maven POMs use https and not http.",
"product_ids": [
"RHPAM 7.13.1 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.1 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "maven: Block repositories using http by default"
}
]
}
WID-SEC-W-2022-1646
Vulnerability from csaf_certbund - Published: 2021-06-28 22:00 - Updated: 2022-12-19 23:00Summary
Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Codeausführung
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme: - UNIX
- Linux
Es existieren mehrere Schwachstellen in Red Hat OpenShift. Die Fehler besteht in der Komponente node.js-handlebars aufgrund einer fehlenden Prüfung beim Abrufen von Prototyp-Eigenschaften und einem nicht abgespeicherten Wert in der Funktion JavaScriptCompiler.prototype.depthedLookup. Ein entfernter anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM Business Automation Workflow
IBM
|
cpe:/a:ibm:business_automation_workflow:-
|
— | |
|
Tenable Security Nessus Network Monitor < 6.2.0
Tenable Security
|
cpe:/a:tenable:nessus_network_monitor:6.2.0
|
— |
Es existieren mehrere Schwachstellen in Red Hat OpenShift. Die Fehler besteht in der Komponente node.js-handlebars aufgrund einer fehlenden Prüfung beim Abrufen von Prototyp-Eigenschaften und einem nicht abgespeicherten Wert in der Funktion JavaScriptCompiler.prototype.depthedLookup. Ein entfernter anonymer Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM Business Automation Workflow
IBM
|
cpe:/a:ibm:business_automation_workflow:-
|
— | |
|
Tenable Security Nessus Network Monitor < 6.2.0
Tenable Security
|
cpe:/a:tenable:nessus_network_monitor:6.2.0
|
— |
References
10 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-1646 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1646.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-1646 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1646"
},
{
"category": "external",
"summary": "Tenable Security Advisory TNS-2022-28 vom 2022-12-19",
"url": "https://www.tenable.com/security/tns-2022-28"
},
{
"category": "external",
"summary": "Red Hat Customer Portal vom 2021-06-28",
"url": "https://access.redhat.com/errata/RHSA-2021:2500"
},
{
"category": "external",
"summary": "Red Hat Customer Portal vom 2021-06-28",
"url": "https://access.redhat.com/security/cve/CVE-2021-23369"
},
{
"category": "external",
"summary": "Red Hat Customer Portal vom 2021-06-28",
"url": "https://access.redhat.com/security/cve/CVE-2021-23383"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3016 vom 2021-08-06",
"url": "https://access.redhat.com/errata/RHSA-2021:3016"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:4628 vom 2021-11-17",
"url": "https://access.redhat.com/errata/RHSA-2021:4628"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:4032 vom 2021-11-17",
"url": "https://access.redhat.com/errata/RHSA-2021:4032"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6827893 vom 2022-10-08",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-business-automation-workflow-cve-2018-25031-cve-2021-23369-cve-23383/"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift: Mehrere Schwachstellen erm\u00f6glichen Codeausf\u00fchrung",
"tracking": {
"current_release_date": "2022-12-19T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:36:11.081+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-1646",
"initial_release_date": "2021-06-28T22:00:00.000+00:00",
"revision_history": [
{
"date": "2021-06-28T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2021-08-05T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-11-16T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-10-09T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2022-12-19T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Tenable aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM Business Automation Workflow",
"product": {
"name": "IBM Business Automation Workflow",
"product_id": "T019704",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c 4.6.36",
"product": {
"name": "Red Hat OpenShift \u003c 4.6.36",
"product_id": "T019672",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.6.36"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "Tenable Security Nessus Network Monitor \u003c 6.2.0",
"product": {
"name": "Tenable Security Nessus Network Monitor \u003c 6.2.0",
"product_id": "T025651",
"product_identification_helper": {
"cpe": "cpe:/a:tenable:nessus_network_monitor:6.2.0"
}
}
}
],
"category": "vendor",
"name": "Tenable Security"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-23369",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in Red Hat OpenShift. Die Fehler besteht in der Komponente node.js-handlebars aufgrund einer fehlenden Pr\u00fcfung beim Abrufen von Prototyp-Eigenschaften und einem nicht abgespeicherten Wert in der Funktion JavaScriptCompiler.prototype.depthedLookup. Ein entfernter anonymer Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"67646",
"T019704",
"T025651"
]
},
"release_date": "2021-06-28T22:00:00.000+00:00",
"title": "CVE-2021-23369"
},
{
"cve": "CVE-2021-23383",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in Red Hat OpenShift. Die Fehler besteht in der Komponente node.js-handlebars aufgrund einer fehlenden Pr\u00fcfung beim Abrufen von Prototyp-Eigenschaften und einem nicht abgespeicherten Wert in der Funktion JavaScriptCompiler.prototype.depthedLookup. Ein entfernter anonymer Angreifer kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"67646",
"T019704",
"T025651"
]
},
"release_date": "2021-06-28T22:00:00.000+00:00",
"title": "CVE-2021-23383"
}
]
}
WID-SEC-W-2023-3032
Vulnerability from csaf_certbund - Published: 2023-11-29 23:00 - Updated: 2023-12-04 23:00Summary
Tenable Security Nessus Network Monitor: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Tenable Nessus Network Monitor ist ein Netzwerküberwachungstool zur Inventarisierung und Überwachung von Netzwerkgeräten und den genutzten Protokollen.
Angriff: Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in Tenable Security Nessus Network Monitor ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen oder Dateien zu manipulieren.
Betroffene Betriebssysteme: - UNIX
- Linux
- Windows
Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitslücken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen oder Dateien zu manipulieren.
Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitslücken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen oder Dateien zu manipulieren.
Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitslücken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen oder Dateien zu manipulieren.
Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitslücken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen oder Dateien zu manipulieren.
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Tenable Nessus Network Monitor ist ein Netzwerk\u00fcberwachungstool zur Inventarisierung und \u00dcberwachung von Netzwerkger\u00e4ten und den genutzten Protokollen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in Tenable Security Nessus Network Monitor ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuf\u00fchren oder Dateien zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-3032 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3032.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-3032 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3032"
},
{
"category": "external",
"summary": "Tenable Security Advisories vom 2023-11-29",
"url": "https://de.tenable.com/security/tns-2023-43"
}
],
"source_lang": "en-US",
"title": "Tenable Security Nessus Network Monitor: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-12-04T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:02:11.801+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-3032",
"initial_release_date": "2023-11-29T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-11-29T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-12-04T23:00:00.000+00:00",
"number": "2",
"summary": "\u00c4nderung an der Produktbeschreibung"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Tenable Security Nessus Network Monitor \u003c 6.3.1",
"product": {
"name": "Tenable Security Nessus Network Monitor \u003c 6.3.1",
"product_id": "T031409",
"product_identification_helper": {
"cpe": "cpe:/a:tenable:nessus_network_monitor:6.3.1"
}
}
}
],
"category": "vendor",
"name": "Tenable Security"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-5363",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitsl\u00fccken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuf\u00fchren oder Dateien zu manipulieren."
}
],
"release_date": "2023-11-29T23:00:00.000+00:00",
"title": "CVE-2023-5363"
},
{
"cve": "CVE-2021-23383",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitsl\u00fccken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuf\u00fchren oder Dateien zu manipulieren."
}
],
"release_date": "2023-11-29T23:00:00.000+00:00",
"title": "CVE-2021-23383"
},
{
"cve": "CVE-2021-23369",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitsl\u00fccken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuf\u00fchren oder Dateien zu manipulieren."
}
],
"release_date": "2023-11-29T23:00:00.000+00:00",
"title": "CVE-2021-23369"
},
{
"cve": "CVE-2018-9206",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Tenable Security Nessus Network Monitor. Diese Fehler bestehen unter anderem in Komponenten von Drittanbietern wie HandlebarsJS oder OpenSSL aufgrund verschiedener Sicherheitsl\u00fccken. Ein entfernter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuf\u00fchren oder Dateien zu manipulieren."
}
],
"release_date": "2023-11-29T23:00:00.000+00:00",
"title": "CVE-2018-9206"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…